Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu
[ Reason ] node-got allows redirection to unix sockets (#1013264, CVE-2022-33987) [ Impact ] Medium vulnerability: a remote host can redirect a node-got request to a Unix socket [ Tests ] Sadly test aren't enabled: ava was introduced earlier in Debian [ Risks ] Low risk: * patch is trivial * package is built from TypeScript, then tsc compiler checks for a lot of errors [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Just reject URL starting with "unix:" if original request wasn't a "unix:" request. Note that I had to add a typescript change: one ignored error is no more an error. Regards, Yadd
diff --git a/debian/changelog b/debian/changelog index 9cda1ef..a4bd358 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-got (11.8.1+~cs53.13.17-3+deb11u1) bullseye; urgency=medium + + * Team upload + * Don't allow redirection to Unix socket (Closes: #1013264, CVE-2022-33987) + + -- Yadd <y...@debian.org> Wed, 29 Jun 2022 16:30:16 +0200 + node-got (11.8.1+~cs53.13.17-3) unstable; urgency=medium * Team upload diff --git a/debian/patches/CVE-2022-33987.patch b/debian/patches/CVE-2022-33987.patch new file mode 100644 index 0000000..79c012f --- /dev/null +++ b/debian/patches/CVE-2022-33987.patch @@ -0,0 +1,100 @@ +Description: Don't allow redirect to Unix socket +Author: Sindre Sorhus <sindresor...@gmail.com> +Origin: upstream, https://github.com/sindresorhus/got/commit/bce8ce7d +Bug: https://github.com/sindresorhus/got/pull/2047 +Bug-Debian: https://bugs.debian.org/1013264 +Forwarded: not-needed +Reviewed-By: Yadd <y...@debian.org> +Last-Update: 2022-06-29 + +--- a/source/core/index.ts ++++ b/source/core/index.ts +@@ -2102,6 +2102,16 @@ + const redirectString = redirectUrl.toString(); + decodeURI(redirectString); + ++ // eslint-disable-next-line no-inner-declarations ++ function isUnixSocketURL(url: URL) { ++ return url.protocol === 'unix:' || url.hostname === 'unix'; ++ } ++ ++ if (!isUnixSocketURL(url) && isUnixSocketURL(redirectUrl)) { ++ this._beforeError(new RequestError('Cannot redirect to UNIX socket', {}, this)); ++ return; ++ } ++ + // Redirecting to a different site, clear sensitive data. + if (redirectUrl.hostname !== url.hostname || redirectUrl.port !== url.port) { + if ('host' in options.headers) { +--- a/test/redirects.ts ++++ b/test/redirects.ts +@@ -1,7 +1,7 @@ + import test from 'ava'; + import {Handler} from 'express'; + import nock = require('nock'); +-import got, {MaxRedirectsError} from '../source'; ++import got, {MaxRedirectsError, RequestError} from '../source'; + import withServer, {withHttpsServer} from './helpers/with-server'; + + const reachedHandler: Handler = (_request, response) => { +@@ -509,3 +509,32 @@ + t.is(response.body, 'SERVER2'); + }); + }); ++ ++const unixProtocol: Handler = (_request, response) => { ++ response.writeHead(302, { ++ location: 'unix:/var/run/docker.sock:/containers/json' ++ }); ++ response.end(); ++}; ++ ++const unixHostname: Handler = (_request, response) => { ++ response.writeHead(302, { ++ location: 'http://unix:/var/run/docker.sock:/containers/json' ++ }); ++ response.end(); ++}; ++ ++test('cannot redirect to unix protocol', withServer, async (t, server, got) => { ++ server.get('/protocol', unixProtocol); ++ server.get('/hostname', unixHostname); ++ ++ await t.throwsAsync(got('protocol'), { ++ message: 'Cannot redirect to UNIX socket', ++ instanceOf: RequestError ++ }); ++ ++ await t.throwsAsync(got('hostname'), { ++ message: 'Cannot redirect to UNIX socket', ++ instanceOf: RequestError ++ }); ++}); +--- a/test/unix-socket.ts ++++ b/test/unix-socket.ts +@@ -8,6 +8,13 @@ + response.end('ok'); + }; + ++const redirectHandler: Handler = (_request, response) => { ++ response.writeHead(302, { ++ location: 'foo' ++ }); ++ response.end(); ++}; ++ + if (process.platform !== 'win32') { + test('works', withSocketServer, async (t, server) => { + server.on('/', okHandler); +@@ -53,3 +60,11 @@ + t.is((await got(url)).body, 'ok'); + }); + } ++ ++test('redirects work', withSocketServer, async (t, server) => { ++ server.on('/', redirectHandler); ++ server.on('/foo', okHandler); ++ ++ const url = format('http://unix:%s:%s', server.socketPath, '/'); ++ t.is((await got(url)).body, 'ok'); ++}); diff --git a/debian/patches/fix-typescript.patch b/debian/patches/fix-typescript.patch new file mode 100644 index 0000000..02c2e82 --- /dev/null +++ b/debian/patches/fix-typescript.patch @@ -0,0 +1,16 @@ +Description: fix typescript +Author: Yadd <y...@debian.org> +Forwarded: not-needed +Last-Update: 2022-06-29 + +--- a/source/utils/deprecation-warning.ts ++++ b/source/utils/deprecation-warning.ts +@@ -7,7 +7,7 @@ + + alreadyWarned.add(message); + +- // @ts-expect-error Missing types. ++ // @ts-ignore + process.emitWarning(`Got: ${message}`, { + type: 'DeprecationWarning' + }); diff --git a/debian/patches/series b/debian/patches/series index 2299ad7..52e5121 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,5 @@ build-source-only.diff fix-package-json-paths.diff CVE-2021-33502.patch +CVE-2022-33987.patch +fix-typescript.patch