From 6e4468a2cf391f808193fdd79c9d2dee7298c2a8 Mon Sep 17 00:00:00 2001 From: ranjit-git Date: Tue, 18 Jan 2022 10:17:46 +0530 Subject: [PATCH 1/3] Bug fix: thirdparty site cookie leak bug report https://www.huntr.dev/bounties/42c79c23-6646-46c4-871d-219c0d4b4e31/ --- index.js | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/index.js b/index.js index 3759063..6d1e7ba 100644 --- a/index.js +++ b/index.js @@ -9,6 +9,9 @@ const once = require('once') const querystring = require('querystring') const url = require('url') +var flag=false +var original_host; + const isStream = o => o !== null && typeof o === 'object' && typeof o.pipe === 'function' function simpleGet (opts, cb) { @@ -34,6 +37,13 @@ function simpleGet (opts, cb) { opts.headers['content-type'] = 'application/x-www-form-urlencoded' } + //getting original host + if (!flag){ + original_host=opts.hostname + //console.log(original_host) + flag=true + } + if (body) { if (!opts.method) opts.method = 'POST' if (!isStream(body)) opts.headers['content-length'] = Buffer.byteLength(body) @@ -51,6 +61,13 @@ function simpleGet (opts, cb) { delete opts.headers.host // Discard `host` header on redirect (see #32) res.resume() // Discard response + var redirect_host=url.parse(opts.url).hostname //getting redirected hostname + //if redirected host is different than original host then drop cookie header to prevent cookie leak in thirdparty site redirect + if(redirect_host !== null && redirect_host !== original_host){ + delete opts.headers.cookie; + delete opts.headers.authorization; + } + if (opts.method === 'POST' && [301, 302].includes(res.statusCode)) { opts.method = 'GET' // On 301/302 redirect, change POST to GET (see #35) delete opts.headers['content-length']; delete opts.headers['content-type'] From 489f74342f76f4985acd57fe07324d4e51777858 Mon Sep 17 00:00:00 2001 From: ranjit-git Date: Tue, 18 Jan 2022 14:27:23 +0530 Subject: [PATCH 2/3] Bug fix: Thirdparty cookie leak --- index.js | 26 +++++++++----------------- 1 file changed, 9 insertions(+), 17 deletions(-) diff --git a/index.js b/index.js index 6d1e7ba..a650a2c 100644 --- a/index.js +++ b/index.js @@ -9,9 +9,6 @@ const once = require('once') const querystring = require('querystring') const url = require('url') -var flag=false -var original_host; - const isStream = o => o !== null && typeof o === 'object' && typeof o.pipe === 'function' function simpleGet (opts, cb) { @@ -37,13 +34,8 @@ function simpleGet (opts, cb) { opts.headers['content-type'] = 'application/x-www-form-urlencoded' } - //getting original host - if (!flag){ - original_host=opts.hostname - //console.log(original_host) - flag=true - } - + const ohost = opts.hostname + if (body) { if (!opts.method) opts.method = 'POST' if (!isStream(body)) opts.headers['content-length'] = Buffer.byteLength(body) @@ -61,13 +53,13 @@ function simpleGet (opts, cb) { delete opts.headers.host // Discard `host` header on redirect (see #32) res.resume() // Discard response - var redirect_host=url.parse(opts.url).hostname //getting redirected hostname - //if redirected host is different than original host then drop cookie header to prevent cookie leak in thirdparty site redirect - if(redirect_host !== null && redirect_host !== original_host){ - delete opts.headers.cookie; - delete opts.headers.authorization; - } - + const rhost = url.parse(opts.url).hostname // eslint-disable-line node/no-deprecated-api + // if redirected host is different than original host then drop cookie header to prevent cookie leak in thirdparty site redirect + if (rhost !== null && rhost !== ohost) { + delete opts.headers.cookie + delete opts.headers.authorization + } + if (opts.method === 'POST' && [301, 302].includes(res.statusCode)) { opts.method = 'GET' // On 301/302 redirect, change POST to GET (see #35) delete opts.headers['content-length']; delete opts.headers['content-type'] From 6e21f5eae1141244e14806b412bde0a8c46e1903 Mon Sep 17 00:00:00 2001 From: Feross Aboukhadijeh Date: Mon, 24 Jan 2022 19:22:45 -0800 Subject: [PATCH 3/3] code style --- index.js | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/index.js b/index.js index a650a2c..80e52e8 100644 --- a/index.js +++ b/index.js @@ -34,8 +34,6 @@ function simpleGet (opts, cb) { opts.headers['content-type'] = 'application/x-www-form-urlencoded' } - const ohost = opts.hostname - if (body) { if (!opts.method) opts.method = 'POST' if (!isStream(body)) opts.headers['content-length'] = Buffer.byteLength(body) @@ -46,6 +44,7 @@ function simpleGet (opts, cb) { if (opts.json) opts.headers.accept = 'application/json' if (opts.method) opts.method = opts.method.toUpperCase() + const originalHost = opts.hostname // hostname before potential redirect const protocol = opts.protocol === 'https:' ? https : http // Support http/https urls const req = protocol.request(opts, res => { if (opts.followRedirects !== false && res.statusCode >= 300 && res.statusCode < 400 && res.headers.location) { @@ -53,9 +52,9 @@ function simpleGet (opts, cb) { delete opts.headers.host // Discard `host` header on redirect (see #32) res.resume() // Discard response - const rhost = url.parse(opts.url).hostname // eslint-disable-line node/no-deprecated-api - // if redirected host is different than original host then drop cookie header to prevent cookie leak in thirdparty site redirect - if (rhost !== null && rhost !== ohost) { + const redirectHost = url.parse(opts.url).hostname // eslint-disable-line node/no-deprecated-api + // If redirected host is different than original host, drop headers to prevent cookie leak (#73) + if (redirectHost !== null && redirectHost !== originalHost) { delete opts.headers.cookie delete opts.headers.authorization }