From afaa2634a8aef247b72b86eb6b99c4dc52fcc657 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1s=20Pollak?= Date: Fri, 7 Jan 2022 14:36:43 -0300 Subject: [PATCH 1/4] Only set cookies when redirecting if domains match --- lib/needle.js | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/lib/needle.js b/lib/needle.js index b56c8f66b..62c6333a0 100644 --- a/lib/needle.js +++ b/lib/needle.js @@ -168,6 +168,10 @@ function resolve_url(href, base) { return url.resolve(base, href); } +function domains_match(one, two) { + return resolve_url(one).host == resolve_url(two).host; +} + function pump_streams(streams, cb) { if (stream.pipeline) return stream.pipeline.apply(null, streams.concat(cb)); @@ -563,7 +567,7 @@ Needle.prototype.send_request = function(count, method, uri, config, post_data, // if follow_set_cookies is true, insert cookies in the next request's headers. // we set both the original request cookies plus any response cookies we might have received. - if (config.follow_set_cookies) { + if (config.follow_set_cookies && domains_match(headers.location, uri)) { var request_cookies = cookies.read(config.headers['cookie']); config.previous_resp_cookies = resp.cookies; if (Object.keys(request_cookies).length || Object.keys(resp.cookies || {}).length) { From bb27da9dacbd81adcef2a51efb0381855c04420d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1s=20Pollak?= Date: Mon, 17 Jan 2022 14:02:06 -0300 Subject: [PATCH 2/4] Update test/redirect_spec.js --- test/redirect_spec.js | 81 ++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 76 insertions(+), 5 deletions(-) diff --git a/test/redirect_spec.js b/test/redirect_spec.js index c3942e279..42d26bf5a 100644 --- a/test/redirect_spec.js +++ b/test/redirect_spec.js @@ -90,7 +90,6 @@ describe('redirects', function() { spies[current_protocol].callCount.should.eql(2); done(); }) - } function followed_other_protocol(done) { @@ -193,8 +192,6 @@ describe('redirects', function() { opts = { follow: value }; }) - - describe('and redirected to the same path on same host and protocol', function() { before(function() { location = url; @@ -258,8 +255,26 @@ describe('redirects', function() { it('sends a GET request with no data', function(done) { send_request(opts, function(err, resp) { - spies.http.args[0][0].method.should.eql('GET'); // spy.args[0][3].should.eql(null); + spies.http.args[0][0].method.should.eql('GET'); + done(); + }) + }) + + it('does not resend cookies if follow_set_cookies is false', function(done) { + opts.cookies = {foo: 'bar'}; + opts.follow_set_cookies = false; + send_request(opts, function(err, resp) { + should.not.exist(spies.http.args[0][0].headers['cookie']); + done(); + }) + }) + + it('resends cookies if follow_set_cookies is true', function(done) { + opts.cookies = {foo: 'bar'}; + opts.follow_set_cookies = true; + send_request(opts, function(err, resp) { + spies.http.args[0][0].headers['cookie'].should.eql('foo=bar') done(); }) }) @@ -285,8 +300,26 @@ describe('redirects', function() { it('sets Referer header when following redirect', function(done) { send_request(opts, function(err, resp) { - spies.http.args[0][0].headers['referer'].should.eql("http://" + host + ":8888/hello"); // spies.http.args[0][3].should.eql({ foo: 'bar'}); + spies.http.args[0][0].headers['referer'].should.eql("http://" + host + ":8888/hello"); + done(); + }) + }) + + it('does not resend cookies if follow_set_cookies is false', function(done) { + opts.cookies = {foo: 'bar'}; + opts.follow_set_cookies = false; + send_request(opts, function(err, resp) { + should.not.exist(spies.http.args[0][0].headers['cookie']); + done(); + }) + }) + + it('resends cookies if follow_set_cookies is true', function(done) { + opts.cookies = {foo: 'bar'}; + opts.follow_set_cookies = true; + send_request(opts, function(err, resp) { + spies.http.args[0][0].headers['cookie'].should.eql('foo=bar') done(); }) }) @@ -318,6 +351,24 @@ describe('redirects', function() { }) }) + it('does not resend cookies if follow_set_cookies is false', function(done) { + opts.cookies = {foo: 'bar'}; + opts.follow_set_cookies = false; + send_request(opts, function(err, resp) { + should.not.exist(spies.http.args[0][0].headers['cookie']); + done(); + }) + }) + + it('resends cookies if follow_set_cookies is true', function(done) { + opts.cookies = {foo: 'bar'}; + opts.follow_set_cookies = true; + send_request(opts, function(err, resp) { + spies.http.args[0][0].headers['cookie'].should.eql('foo=bar') + done(); + }) + }) + }) }) @@ -333,7 +384,17 @@ describe('redirects', function() { before(function() { location = url.replace(host, hostname); }) + it('follows redirect', followed_same_protocol); + + it('does not resend cookies even if follow_set_cookies is true', function(done) { + opts.cookies = {foo: 'bar'}; + opts.follow_set_cookies = true; + send_request(opts, function(err, resp) { + should.not.exist(spies.http.args[0][0].headers['cookie']); + done(); + }) + }) }) }) @@ -366,7 +427,17 @@ describe('redirects', function() { before(function() { location = url.replace(host, hostname).replace(protocol, other_protocol).replace(ports[protocol], ports[other_protocol]); }) + it('follows redirect', followed_other_protocol); + + it('does not resend cookies even if follow_set_cookies is true', function(done) { + opts.cookies = {foo: 'bar'}; + opts.follow_set_cookies = true; + send_request(opts, function(err, resp) { + should.not.exist(spies.http.args[0][0].headers['cookie']); + done(); + }) + }) }) }) From 669e70abbd479959a463db5e1af64c2a7292badc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1s=20Pollak?= Date: Mon, 17 Jan 2022 14:08:44 -0300 Subject: [PATCH 3/4] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index bfa89fefd..c019b27e8 100644 --- a/README.md +++ b/README.md @@ -360,7 +360,7 @@ Redirect options These options only apply if the `follow_max` (or `follow`) option is higher than 0. - - `follow_set_cookies` : Sends the cookies received in the `set-cookie` header as part of the following request. `false` by default. + - `follow_set_cookies` : Sends the cookies received in the `set-cookie` header as part of the following request, *if hosts match*. `false` by default. - `follow_set_referer` : Sets the 'Referer' header to the requested URI when following a redirect. `false` by default. - `follow_keep_method` : If enabled, resends the request using the original verb instead of being rewritten to `get` with no data. `false` by default. - `follow_if_same_host` : When true, Needle will only follow redirects that point to the same host as the original request. `false` by default. From d0b6295066021f38427813258e7fe2508e524081 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1s=20Pollak?= Date: Mon, 17 Jan 2022 14:14:26 -0300 Subject: [PATCH 4/4] Update needle.js --- lib/needle.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/needle.js b/lib/needle.js index 62c6333a0..c63a31942 100644 --- a/lib/needle.js +++ b/lib/needle.js @@ -169,7 +169,7 @@ function resolve_url(href, base) { } function domains_match(one, two) { - return resolve_url(one).host == resolve_url(two).host; + return one && two && resolve_url(one).host == resolve_url(two).host; } function pump_streams(streams, cb) {