Skip to content

Commit

Permalink
Merge pull request from GHSA-m4v8-wqvr-p9f7
Browse files Browse the repository at this point in the history
Signed-off-by: Matteo Collina <[email protected]>
  • Loading branch information
mcollina authored Apr 2, 2024
1 parent ee5f892 commit 6805746
Show file tree
Hide file tree
Showing 2 changed files with 54 additions and 2 deletions.
4 changes: 2 additions & 2 deletions lib/handler/redirect-handler.js
Original file line number Diff line number Diff line change
Expand Up @@ -201,9 +201,9 @@ function shouldRemoveHeader (header, removeContent, unknownOrigin) {
if (removeContent && util.headerNameToString(header).startsWith('content-')) {
return true
}
if (unknownOrigin && (header.length === 13 || header.length === 6)) {
if (unknownOrigin && (header.length === 13 || header.length === 6 || header.length === 19)) {
const name = util.headerNameToString(header)
return name === 'authorization' || name === 'cookie'
return name === 'authorization' || name === 'cookie' || name === 'proxy-authorization'
}
return false
}
Expand Down
52 changes: 52 additions & 0 deletions test/redirect-cross-origin-header.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
'use strict'

const { test } = require('node:test')
const { tspl } = require('@matteo.collina/tspl')
const { createServer } = require('node:http')
const { once } = require('node:events')
const { request } = require('..')

test('Cross-origin redirects clear forbidden headers', async (t) => {
const { strictEqual } = tspl(t, { plan: 6 })

const server1 = createServer((req, res) => {
strictEqual(req.headers.cookie, undefined)
strictEqual(req.headers.authorization, undefined)
strictEqual(req.headers['proxy-authorization'], undefined)

res.end('redirected')
}).listen(0)

const server2 = createServer((req, res) => {
strictEqual(req.headers.authorization, 'test')
strictEqual(req.headers.cookie, 'ddd=dddd')

res.writeHead(302, {
...req.headers,
Location: `http://localhost:${server1.address().port}`
})
res.end()
}).listen(0)

t.after(() => {
server1.close()
server2.close()
})

await Promise.all([
once(server1, 'listening'),
once(server2, 'listening')
])

const res = await request(`http://localhost:${server2.address().port}`, {
maxRedirections: 1,
headers: {
Authorization: 'test',
Cookie: 'ddd=dddd',
'Proxy-Authorization': 'test'
}
})

const text = await res.body.text()
strictEqual(text, 'redirected')
})

0 comments on commit 6805746

Please sign in to comment.