Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

fix(Headers): don't forward secure headers on protocol change #1599

Merged
merged 2 commits into from
Jul 18, 2022
Merged

fix(Headers): don't forward secure headers on protocol change #1599

merged 2 commits into from
Jul 18, 2022

Conversation

max-stytch
Copy link
Contributor

Purpose

Resolves https://www.huntr.dev/bounties/db31e05b-ff10-4057-81a3-37445bf161cd/ by validating that the URL protocol remains the same when determining whether to send secure headers on a redirect.
This prevents MITM attacks from sniffing secure headers when a redirect downgrades a https:// to a http://

Changes

Adds an additional check to the redirect follow step to determine whether to send secure headers or not.

Additional information

  • I updated readme
  • I added unit test(s)

@max-stytch max-stytch mentioned this pull request Jul 7, 2022
Merged
@jimmywarting jimmywarting requested review from gr2m and LinusU July 12, 2022 16:32
gr2m
gr2m approved these changes Jul 16, 2022
View reviewed changes
Copy link
Collaborator

@gr2m gr2m left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

great PR 👍🏼

@jimmywarting jimmywarting merged commit e87b093 into node-fetch:main Jul 18, 2022
@github-actions
Copy link

🎉 This PR is included in version 3.2.9 🎉

The release is available on:

Your semantic-release bot 📦🚀

@victal
Copy link

victal commented Jul 19, 2022

Sorry if this is the wrong place to ask, but since this PR is a fix for a security issue, will (or should) it be backported to the 2.x branch as it was done for #1449?

Is this done automatically or should I (or someone else interested in the fix) open another PR targeting the 2.x branch for that?

victal pushed a commit to victal/node-fetch that referenced this pull request Jul 19, 2022
fix(headers): don't forward secure headers on protocol change
0d08bad 
backport for node-fetch#1599 to the 2.x branch
@jimmywarting
Copy link
Collaborator

if you @victal could create a PR to the v2 branch then that would be grate!

@victal victal mentioned this pull request Jul 19, 2022
Merged
2 tasks
@victal
Copy link

victal commented Jul 19, 2022

Just created #1605 for it, thanks!

jimmywarting pushed a commit that referenced this pull request Jul 19, 2022
@victal
fix(headers): don't forward secure headers on protocol change (#1605)
fddad0e 
backport for #1599 to the 2.x branch

Co-authored-by: Guilherme Victal <guilherme.a@dasa.com.br>
@data-sync-user data-sync-user mentioned this pull request Oct 12, 2023
Closed
@ali8889 ali8889 mentioned this pull request May 19, 2024
Open
@ntnguyencse ntnguyencse mentioned this pull request May 19, 2024
Open
@mshantanu mshantanu mentioned this pull request May 19, 2024
Open
@ali8889 ali8889 mentioned this pull request May 19, 2024
Open
This was referenced May 20, 2024
Closed
Closed
@mshantanu mshantanu mentioned this pull request May 20, 2024
Open
@ali8889 ali8889 mentioned this pull request May 21, 2024
Open
@mshantanu mshantanu mentioned this pull request May 21, 2024
Open
@snyk-io snyk-io bot mentioned this pull request May 21, 2024
Open
@Bad3r Bad3r mentioned this pull request May 22, 2024
Open
@lockyz lockyz mentioned this pull request May 22, 2024
Closed
@mshantanu mshantanu mentioned this pull request Sep 26, 2024
Open
@ali8889 ali8889 mentioned this pull request Sep 27, 2024
Open
@mshantanu mshantanu mentioned this pull request Sep 27, 2024
Open
@ali8889 ali8889 mentioned this pull request Sep 27, 2024
Open
@mshantanu mshantanu mentioned this pull request Sep 28, 2024
Open
@ali8889 ali8889 mentioned this pull request Sep 29, 2024
Open
@mshantanu mshantanu mentioned this pull request Sep 29, 2024
Open
@xtrmbuster xtrmbuster mentioned this pull request Sep 29, 2024
Open
@ali8889 ali8889 mentioned this pull request Sep 30, 2024
Open
@mshantanu mshantanu mentioned this pull request Sep 30, 2024
Open
@ali8889 ali8889 mentioned this pull request Sep 30, 2024
Open
This was referenced Oct 1, 2024
Open
Open
This was referenced Oct 2, 2024
Open
Open
@mshantanu mshantanu mentioned this pull request Oct 3, 2024
Open
@ali8889 ali8889 mentioned this pull request Oct 4, 2024
Open
@mshantanu mshantanu mentioned this pull request Oct 4, 2024
Open
@ali8889 ali8889 mentioned this pull request Oct 5, 2024
Open
This was referenced Oct 5, 2024
Open
Open
@Sarrac3873 Sarrac3873 mentioned this pull request Oct 17, 2024
Open
@githubgamer112 githubgamer112 mentioned this pull request Oct 25, 2024
Open
@ReneMaetzschker ReneMaetzschker mentioned this pull request Oct 26, 2024
Open
@ali8889 ali8889 mentioned this pull request Oct 30, 2024
Open
@mihaibuzgau mihaibuzgau mentioned this pull request Nov 1, 2024
Open
@ali8889 ali8889 mentioned this pull request Nov 6, 2024
Open
@snyk-io snyk-io bot mentioned this pull request Nov 9, 2024
Open
@mshantanu mshantanu mentioned this pull request Nov 12, 2024
Open
@ali8889 ali8889 mentioned this pull request Nov 13, 2024
Open
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@gr2m gr2m gr2m approved these changes

@jimmywarting jimmywarting jimmywarting approved these changes

@NotMoni NotMoni NotMoni approved these changes

@LinusU LinusU Awaiting requested review from LinusU

Assignees
No one assigned
Labels
released
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@max-stytch @victal @jimmywarting @gr2m @NotMoni