Merge pull request from GHSA-m4v8-wqvr-p9f7

mcollina · web-flow · commit 6805746680d2 · 2024-04-02T12:41:40.000+02:00
Signed-off-by: Matteo Collina &lt;hello@matteocollina.com&gt;
diff --git a/lib/handler/redirect-handler.js b/lib/handler/redirect-handler.js
@@ -201,9 +201,9 @@ function shouldRemoveHeader (header, removeContent, unknownOrigin) {
   if (removeContent && util.headerNameToString(header).startsWith('content-')) {
     return true
   }
-  if (unknownOrigin && (header.length === 13 || header.length === 6)) {
+  if (unknownOrigin && (header.length === 13 || header.length === 6 || header.length === 19)) {
     const name = util.headerNameToString(header)
-    return name === 'authorization' || name === 'cookie'
+    return name === 'authorization' || name === 'cookie' || name === 'proxy-authorization'
   }
   return false
 }
diff --git a/test/redirect-cross-origin-header.js b/test/redirect-cross-origin-header.js
@@ -0,0 +1,52 @@
+'use strict'
+
+const { test } = require('node:test')
+const { tspl } = require('@matteo.collina/tspl')
+const { createServer } = require('node:http')
+const { once } = require('node:events')
+const { request } = require('..')
+
+test('Cross-origin redirects clear forbidden headers', async (t) => {
+  const { strictEqual } = tspl(t, { plan: 6 })
+
+  const server1 = createServer((req, res) => {
+    strictEqual(req.headers.cookie, undefined)
+    strictEqual(req.headers.authorization, undefined)
+    strictEqual(req.headers['proxy-authorization'], undefined)
+
+    res.end('redirected')
+  }).listen(0)
+
+  const server2 = createServer((req, res) => {
+    strictEqual(req.headers.authorization, 'test')
+    strictEqual(req.headers.cookie, 'ddd=dddd')
+
+    res.writeHead(302, {
+      ...req.headers,
+      Location: `http://localhost:${server1.address().port}`
+    })
+    res.end()
+  }).listen(0)
+
+  t.after(() => {
+    server1.close()
+    server2.close()
+  })
+
+  await Promise.all([
+    once(server1, 'listening'),
+    once(server2, 'listening')
+  ])
+
+  const res = await request(`http://localhost:${server2.address().port}`, {
+    maxRedirections: 1,
+    headers: {
+      Authorization: 'test',
+      Cookie: 'ddd=dddd',
+      'Proxy-Authorization': 'test'
+    }
+  })
+
+  const text = await res.body.text()
+  strictEqual(text, 'redirected')
+})

Original file line number	Diff line number	Diff line change
`@@ -201,9 +201,9 @@ function shouldRemoveHeader (header, removeContent, unknownOrigin) {`
`201`	`201`	`if (removeContent && util.headerNameToString(header).startsWith('content-')) {`
`202`	`202`	`return true`
`203`	`203`	`}`
`204`		`- if (unknownOrigin && (header.length === 13 \|\| header.length === 6)) {`
	`204`	`+ if (unknownOrigin && (header.length === 13 \|\| header.length === 6 \|\| header.length === 19)) {`
`205`	`205`	`const name = util.headerNameToString(header)`
`206`		`- return name === 'authorization' \|\| name === 'cookie'`
	`206`	`+ return name === 'authorization' \|\| name === 'cookie' \|\| name === 'proxy-authorization'`
`207`	`207`	`}`
`208`	`208`	`return false`
`209`	`209`	`}`