Merge pull request from GHSA-m4v8-wqvr-p9f7

Signed-off-by: Matteo Collina <[email protected]>
nodejs · Apr 2, 2024 · 6805746 · 6805746
1 parent ee5f892
commit 6805746
Show file tree

Hide file tree

Showing 2 changed files with 54 additions and 2 deletions.
diff --git a/lib/handler/redirect-handler.js b/lib/handler/redirect-handler.js
@@ -201,9 +201,9 @@ function shouldRemoveHeader (header, removeContent, unknownOrigin) {
  if (removeContent && util.headerNameToString(header).startsWith('content-')) {
  return true
  }
- if (unknownOrigin && (header.length === 13 || header.length === 6)) {
+ if (unknownOrigin && (header.length === 13 || header.length === 6 || header.length === 19)) {
  const name = util.headerNameToString(header)
- return name === 'authorization' || name === 'cookie'
+ return name === 'authorization' || name === 'cookie' || name === 'proxy-authorization'
  }
  return false
 }

diff --git a/test/redirect-cross-origin-header.js b/test/redirect-cross-origin-header.js
@@ -0,0 +1,52 @@
+'use strict'
+
+const { test } = require('node:test')
+const { tspl } = require('@matteo.collina/tspl')
+const { createServer } = require('node:http')
+const { once } = require('node:events')
+const { request } = require('..')
+
+test('Cross-origin redirects clear forbidden headers', async (t) => {
+ const { strictEqual } = tspl(t, { plan: 6 })
+
+ const server1 = createServer((req, res) => {
+ strictEqual(req.headers.cookie, undefined)
+ strictEqual(req.headers.authorization, undefined)
+ strictEqual(req.headers['proxy-authorization'], undefined)
+
+ res.end('redirected')
+ }).listen(0)
+
+ const server2 = createServer((req, res) => {
+ strictEqual(req.headers.authorization, 'test')
+ strictEqual(req.headers.cookie, 'ddd=dddd')
+
+ res.writeHead(302, {
+ ...req.headers,
+ Location: `https://localhost:${server1.address().port}`
+ })
+ res.end()
+ }).listen(0)
+
+ t.after(() => {
+ server1.close()
+ server2.close()
+ })
+
+ await Promise.all([
+ once(server1, 'listening'),
+ once(server2, 'listening')
+ ])
+
+ const res = await request(`https://localhost:${server2.address().port}`, {
+ maxRedirections: 1,
+ headers: {
+ Authorization: 'test',
+ Cookie: 'ddd=dddd',
+ 'Proxy-Authorization': 'test'
+ }
+ })
+
+ const text = await res.body.text()
+ strictEqual(text, 'redirected')
+})