Skip to content

fix(Headers): don't forward secure headers on protocol change#1599

Merged
jimmywarting merged 2 commits intonode-fetch:mainfrom
max-stytch:max/headers-protocol-downgrade
Jul 18, 2022
Merged

fix(Headers): don't forward secure headers on protocol change#1599
jimmywarting merged 2 commits intonode-fetch:mainfrom
max-stytch:max/headers-protocol-downgrade

Conversation

@max-stytch
Copy link
Copy Markdown
Contributor

@max-stytch max-stytch commented Jul 7, 2022

Purpose

Resolves https://www.huntr.dev/bounties/db31e05b-ff10-4057-81a3-37445bf161cd/ by validating that the URL protocol remains the same when determining whether to send secure headers on a redirect.
This prevents MITM attacks from sniffing secure headers when a redirect downgrades a https:// to a http://

Changes

Adds an additional check to the redirect follow step to determine whether to send secure headers or not.

Additional information

  • I updated readme
  • I added unit test(s)

@max-stytch max-stytch mentioned this pull request Jul 7, 2022
Merged
@jimmywarting jimmywarting requested review from LinusU and gr2m July 12, 2022 16:32
gr2m
gr2m approved these changes Jul 16, 2022
View reviewed changes
Copy link
Copy Markdown
Collaborator

@gr2m gr2m left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

great PR 👍🏼

@jimmywarting jimmywarting merged commit e87b093 into node-fetch:main Jul 18, 2022
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Jul 18, 2022

🎉 This PR is included in version 3.2.9 🎉

The release is available on:

Your semantic-release bot 📦🚀

@victal
Copy link
Copy Markdown

victal commented Jul 19, 2022

Sorry if this is the wrong place to ask, but since this PR is a fix for a security issue, will (or should) it be backported to the 2.x branch as it was done for #1449?

Is this done automatically or should I (or someone else interested in the fix) open another PR targeting the 2.x branch for that?

@jimmywarting
Copy link
Copy Markdown
Collaborator

jimmywarting commented Jul 19, 2022

if you @victal could create a PR to the v2 branch then that would be grate!

@victal victal mentioned this pull request Jul 19, 2022
Merged
2 tasks
@victal
Copy link
Copy Markdown

victal commented Jul 19, 2022

Just created #1605 for it, thanks!

jimmywarting pushed a commit that referenced this pull request Jul 19, 2022
@victal
fix(headers): don't forward secure headers on protocol change (#1605)
fddad0e 
backport for #1599 to the 2.x branch

Co-authored-by: Guilherme Victal <[email protected]>
@data-sync-user data-sync-user mentioned this pull request Oct 12, 2023
Closed
@ali8889 ali8889 mentioned this pull request May 19, 2024
Open
@ntnguyencse ntnguyencse mentioned this pull request May 19, 2024
Open
@mshantanu mshantanu mentioned this pull request May 19, 2024
Open
@ali8889 ali8889 mentioned this pull request May 19, 2024
Open
This was referenced May 20, 2024
Closed
Closed
@mshantanu mshantanu mentioned this pull request May 20, 2024
Open
@ali8889 ali8889 mentioned this pull request May 21, 2024
Open
@mshantanu mshantanu mentioned this pull request May 21, 2024
Open
@snyk-io snyk-io Bot mentioned this pull request May 21, 2024
Open
@Bad3r Bad3r mentioned this pull request May 22, 2024
Open
@RobinSquared RobinSquared mentioned this pull request May 22, 2024
Closed
@mshantanu mshantanu mentioned this pull request May 22, 2024
Open
@mshantanu mshantanu mentioned this pull request Sep 26, 2024
Open
@ali8889 ali8889 mentioned this pull request Sep 27, 2024
Open
@mshantanu mshantanu mentioned this pull request Sep 27, 2024
Open
@ali8889 ali8889 mentioned this pull request Sep 27, 2024
Open
@mshantanu mshantanu mentioned this pull request Sep 28, 2024
Open
@ali8889 ali8889 mentioned this pull request Sep 29, 2024
Open
@mshantanu mshantanu mentioned this pull request Sep 29, 2024
Open
@xtrmbuster xtrmbuster mentioned this pull request Sep 29, 2024
Open
@ali8889 ali8889 mentioned this pull request Sep 30, 2024
Open
@mshantanu mshantanu mentioned this pull request Sep 30, 2024
Open
@ali8889 ali8889 mentioned this pull request Sep 30, 2024
Open
This was referenced Oct 1, 2024
Open
Open
This was referenced Oct 2, 2024
Open
Open
@mshantanu mshantanu mentioned this pull request Oct 3, 2024
Open
@ali8889 ali8889 mentioned this pull request Oct 4, 2024
Open
@mshantanu mshantanu mentioned this pull request Oct 4, 2024
Open
@ali8889 ali8889 mentioned this pull request Oct 5, 2024
Open
This was referenced Oct 5, 2024
Open
Open
@Sarrac3873 Sarrac3873 mentioned this pull request Oct 17, 2024
Open
@githubgamer112 githubgamer112 mentioned this pull request Oct 25, 2024
Open
@ReneMaetzschker ReneMaetzschker mentioned this pull request Oct 26, 2024
Open
@ali8889 ali8889 mentioned this pull request Oct 30, 2024
Open
@mihaibuzgau mihaibuzgau mentioned this pull request Nov 1, 2024
Open
@ali8889 ali8889 mentioned this pull request Nov 6, 2024
Open
@snyk-io snyk-io Bot mentioned this pull request Nov 9, 2024
Closed
@mshantanu mshantanu mentioned this pull request Nov 12, 2024
Open
@ali8889 ali8889 mentioned this pull request Nov 13, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gr2m gr2m gr2m approved these changes

@jimmywarting jimmywarting jimmywarting approved these changes

@NotMoni NotMoni NotMoni approved these changes

@LinusU LinusU Awaiting requested review from LinusU

Assignees

No one assigned

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@max-stytch @victal @jimmywarting @gr2m @NotMoni