Skip to content

Commit

Permalink
Merge pull request from GHSA-wqq4-5wpv-mx2g
Browse files Browse the repository at this point in the history
* fix: delete 'cookie' and 'host' headers on cross-origin redirect

* apply suggestion
KhafraDev authored Oct 11, 2023

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
1 parent c8c80b1 commit e041de3
Showing 2 changed files with 52 additions and 0 deletions.
4 changes: 4 additions & 0 deletions lib/fetch/index.js
Original file line number Diff line number Diff line change
@@ -1200,6 +1200,10 @@ async function httpRedirectFetch (fetchParams, response) {
if (!sameOrigin(requestCurrentURL(request), locationURL)) {
// https://fetch.spec.whatwg.org/#cors-non-wildcard-request-header-name
request.headersList.delete('authorization')

// "Cookie" and "Host" are forbidden request-headers, which undici doesn't implement.
request.headersList.delete('cookie')
request.headersList.delete('host')
}

// 14. If request’s body is non-null, then set request’s body to the first return
48 changes: 48 additions & 0 deletions test/fetch/redirect-cross-origin-header.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
'use strict'

const { test } = require('tap')
const { createServer } = require('http')
const { once } = require('events')
const { fetch } = require('../..')

test('Cross-origin redirects clear forbidden headers', async (t) => {
t.plan(5)

const server1 = createServer((req, res) => {
t.equal(req.headers.cookie, undefined)
t.equal(req.headers.authorization, undefined)

res.end('redirected')
}).listen(0)

const server2 = createServer((req, res) => {
t.equal(req.headers.authorization, 'test')
t.equal(req.headers.cookie, 'ddd=dddd')

res.writeHead(302, {
...req.headers,
Location: `http://localhost:${server1.address().port}`
})
res.end()
}).listen(0)

t.teardown(() => {
server1.close()
server2.close()
})

await Promise.all([
once(server1, 'listening'),
once(server2, 'listening')
])

const res = await fetch(`http://localhost:${server2.address().port}`, {
headers: {
Authorization: 'test',
Cookie: 'ddd=dddd'
}
})

const text = await res.text()
t.equal(text, 'redirected')
})

1 comment on commit e041de3

@LeHieu199644
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good

Please sign in to comment.