Skip to content

Commit

Permalink
Merge pull request from GHSA-q768-x9m6-m9qp
Browse files Browse the repository at this point in the history
Signed-off-by: Matteo Collina <hello@matteocollina.com>
  • Loading branch information
mcollina authored Jul 18, 2022
1 parent a29a151 commit 0a5bee9
Show file tree
Hide file tree
Showing 4 changed files with 66 additions and 3 deletions.
3 changes: 2 additions & 1 deletion lib/handler/redirect.js
Original file line number Diff line number Diff line change
Expand Up @@ -186,7 +186,8 @@ function shouldRemoveHeader (header, removeContent, unknownOrigin) {
return (
(header.length === 4 && header.toString().toLowerCase() === 'host') ||
(removeContent && header.toString().toLowerCase().indexOf('content-') === 0) ||
(unknownOrigin && header.length === 13 && header.toString().toLowerCase() === 'authorization')
(unknownOrigin && header.length === 13 && header.toString().toLowerCase() === 'authorization') ||
(unknownOrigin && header.length === 6 && header.toString().toLowerCase() === 'cookie')
)
}

Expand Down
22 changes: 21 additions & 1 deletion test/redirect-request.js
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,8 @@ const {
startRedirectingWithBodyServer,
startRedirectingChainServers,
startRedirectingWithoutLocationServer,
startRedirectingWithAuthorization
startRedirectingWithAuthorization,
startRedirectingWithCookie
} = require('./utils/redirecting-servers')
const { createReadable, createReadableStream } = require('./utils/stream')

Expand Down Expand Up @@ -489,3 +490,22 @@ t.test('removes authorization header on third party origin', async t => {

t.equal(body, '')
})

t.test('removes cookie header on third party origin', async t => {
t.plan(1)

const [server1] = await startRedirectingWithCookie(t, 'a=b')
const { body: bodyStream } = await undici.request(`http://${server1}`, {
maxRedirections: 10,
headers: {
cookie: 'a=b'
}
})

let body = ''
for await (const b of bodyStream) {
body += b
}

t.equal(body, '')
})
20 changes: 19 additions & 1 deletion test/redirect-stream.js
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,8 @@ const {
startRedirectingWithBodyServer,
startRedirectingChainServers,
startRedirectingWithoutLocationServer,
startRedirectingWithAuthorization
startRedirectingWithAuthorization,
startRedirectingWithCookie
} = require('./utils/redirecting-servers')
const { createReadable, createWritable } = require('./utils/stream')

Expand Down Expand Up @@ -401,3 +402,20 @@ t.test('removes authorization header on third party origin', async t => {

t.equal(body.length, 0)
})

t.test('removes cookie header on third party origin', async t => {
t.plan(1)

const body = []

const [server1] = await startRedirectingWithCookie(t, 'a=b')
await stream(`http://${server1}`, {
maxRedirections: 10,
opaque: body,
headers: {
cookie: 'a=b'
}
}, ({ statusCode, headers, opaque }) => createWritable(opaque))

t.equal(body.length, 0)
})
24 changes: 24 additions & 0 deletions test/utils/redirecting-servers.js
Original file line number Diff line number Diff line change
Expand Up @@ -178,6 +178,29 @@ async function startRedirectingWithAuthorization (t, authorization) {
return [server1, server2]
}

async function startRedirectingWithCookie (t, cookie) {
const server1 = await startServer(t, (req, res) => {
if (req.headers.cookie !== cookie) {
res.statusCode = 403
res.setHeader('Connection', 'close')
res.end('')
return
}

res.statusCode = 301
res.setHeader('Connection', 'close')

res.setHeader('Location', `http://${server2}`)
res.end('')
})

const server2 = await startServer(t, (req, res) => {
res.end(req.headers.cookie || '')
})

return [server1, server2]
}

async function startRedirectingWithRelativePath (t) {
const server = await startServer(t, (req, res) => {
res.setHeader('Connection', 'close')
Expand Down Expand Up @@ -206,5 +229,6 @@ module.exports = {
startRedirectingWithoutLocationServer,
startRedirectingChainServers,
startRedirectingWithAuthorization,
startRedirectingWithCookie,
startRedirectingWithRelativePath
}

0 comments on commit 0a5bee9

Please sign in to comment.