Checklist
Description
mergeHeaders and mergeOnlyDefinedHeaders in
|
export function mergeHeaders<THeaderValue>( |
do not normalize header names (no lower-casing) and treat null as a deletion instruction. A caller can supply headers.authorization (lowercase) or Authorization: null to create a duplicate/ambiguous Authorization header or to delete the SDK-provided Authorization header. This leads to ambiguous or unauthenticated requests depending on server handling and can be exploited in a single request to remove the intended SDK-managed identity or produce confusing header behavior.
In addition to this, a caller can set for e.g. Authorization: null, which is treated as a deleted header. for e.g.
let _headers = mergeHeaders(
this._options?.headers, // 1) global
mergeOnlyDefinedHeaders({ Authorization: await this._getAuthorizationHeader() }), // 2) SDK auth
requestOptions?.headers, // 3) per-request
);
...
client.keys.customSigning.get({ headers: { Authorization: null } });
...
client.keys.customSigning.get({ headers: { authorization: "Basic attacker" } });
Reproduction
const defaults = { Authorization: "Bearer sdk-token" };
const user = { authorization: "Basic attacker" }; // different case
const merged = mergeHeaders(defaults, user);
// merged now has both keys:
// { Authorization: "Bearer sdk-token", authorization: "Basic attacker" }
// Downstream client will normalize and one wins.
Additional context
No response
node-auth0 version
latest
Node.js version
latest
Checklist
Description
mergeHeaders and mergeOnlyDefinedHeaders in
node-auth0/src/management/core/headers.ts
Line 1 in fd8a406
In addition to this, a caller can set for e.g.
Authorization: null, which is treated as a deleted header. for e.g....
...
Reproduction
Additional context
No response
node-auth0 version
latest
Node.js version
latest