Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

security issue in request client library #1276

Closed
stefreak opened this issue Sep 18, 2023 · 3 comments
Closed

security issue in request client library #1276

stefreak opened this issue Sep 18, 2023 · 3 comments

Comments

@stefreak
Copy link
Contributor

Describe the bug
Dependabot reports this issue for us:
Server-Side Request Forgery in Request

The request package through 2.88.2 for Node.js and the @cypress/request package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).

NOTE: The request package is no longer supported by the maintainer.

Additional context
We need to switch to using a different HTTP client library. One possible solution might be to use the fetch API.

@stefreak
Copy link
Contributor Author

There seem to be issues already for this, namely #414 and #754

@mstruebing
Copy link
Member

There is the release-1.x branch which reimplements the client with the fetch API instead of request.
If you want to try it there is an RC out there: https://www.npmjs.com/package/@kubernetes/client-node?activeTab=versions

1.0.0-rc3 which you could try to use.

@brendandburns
Copy link
Contributor

Though this is a client library for Kubernetes, and if your Kubernetes server is compromised, you have bigger problems than someone triggering an SSRF.

But @mstruebing is correct, the release-1.x branch moves to fetch. Eventually we'll move it from RC to the real release.

Closing this issue since this is covered elsewhere.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants