Skip to content

Commit c8a309a

Browse files
author
Sampaguitas
committed
changes
1 parent 8670e59 commit c8a309a

File tree

2 files changed

+64
-28
lines changed

2 files changed

+64
-28
lines changed

index.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -38,7 +38,7 @@ function sanitizeHeaders(options) {
3838
const qUrl = url.parse(queryObject[queryParam]);
3939

4040
// external link if protocol || host || port is different
41-
return (qUrl.protocol !== urlObject.protocol || qUrl.host !== urlObject.host || qUrl.port !== urlObject.port);
41+
return (!!qUrl.host && ( qUrl.protocol !== urlObject.protocol || qUrl.host !== urlObject.host || qUrl.port !== urlObject.port) );
4242
});
4343

4444
if (hasExternalLink && options.hasOwnProperty("headers") && typeof (options.headers) === "object") {

test/leak.test.js

Lines changed: 63 additions & 27 deletions
Original file line numberDiff line numberDiff line change
@@ -5,23 +5,23 @@ var t = require('chai').assert;
55

66
describe('Information Leak', function () {
77

8-
it('should not forward cookie headers when the request has a redirect from another protocol/domain/port', function (done) {
8+
it('should not forward cookie headers when the request has a redirect from another protocol/domain/port', function (done) {
99

10-
request({
11-
url: 'https://httpbingo.org/redirect-to?url=http://httpbingo.org/cookies',
12-
headers: {
13-
'Content-Type': 'application/json',
14-
'cookie': 'ajs_anonymous_id=1234567890',
15-
'authorization': 'Bearer eyJhb12345abcdef'
16-
},
17-
json:true
18-
}, function (err, response, body) {
19-
t.deepEqual(Object.keys(body).length, 0);
20-
done();
21-
});
22-
});
10+
request({
11+
url: 'https://httpbingo.org/redirect-to?url=http://httpbingo.org/cookies',
12+
headers: {
13+
'Content-Type': 'application/json',
14+
'cookie': 'ajs_anonymous_id=1234567890',
15+
'authorization': 'Bearer eyJhb12345abcdef'
16+
},
17+
json:true
18+
}, function (err, response, body) {
19+
t.deepEqual(Object.keys(body).length, 0);
20+
done();
21+
});
22+
});
2323

24-
it('should forward cookie headers when the request has a redirect from the same protocol/domain/port', function (done) {
24+
it('should forward cookie headers when the request has a redirect from the same protocol/domain/port', function (done) {
2525

2626
request({
2727
url: 'https://httpbingo.org/redirect-to?url=https://httpbingo.org/cookies',
@@ -39,20 +39,38 @@ describe('Information Leak', function () {
3939
});
4040
});
4141

42-
it('should not forward authorization headers when the request has a redirect', function (done) {
42+
it('should forward cookie headers when the request hasn\'t any redirect', function (done) {
4343

44-
request({
45-
url: 'https://httpbingo.org/redirect-to?url=http://httpbingo.org/bearer',
46-
headers: {
47-
'Content-Type': 'application/json',
48-
'cookie': 'ajs_anonymous_id=1234567890',
49-
'authorization': 'Bearer eyJhb12345abcdef'
50-
}
51-
}, function (err, response, body) {
52-
t.deepEqual(body, undefined);
53-
done();
54-
});
44+
request({
45+
url: 'https://httpbingo.org/cookies?test=hello',
46+
headers: {
47+
'Content-Type': 'application/json',
48+
'cookie': 'ajs_anonymous_id=1234567890',
49+
'authorization': 'Bearer eyJhb12345abcdef'
50+
},
51+
json:true
52+
}, function (err, response, body) {
53+
t.deepEqual(body, {
54+
"ajs_anonymous_id": "1234567890"
55+
});
56+
done();
5557
});
58+
});
59+
60+
it('should not forward authorization headers when the request has a redirect', function (done) {
61+
62+
request({
63+
url: 'https://httpbingo.org/redirect-to?url=http://httpbingo.org/bearer',
64+
headers: {
65+
'Content-Type': 'application/json',
66+
'cookie': 'ajs_anonymous_id=1234567890',
67+
'authorization': 'Bearer eyJhb12345abcdef'
68+
}
69+
}, function (err, response, body) {
70+
t.deepEqual(body, undefined);
71+
done();
72+
});
73+
});
5674

5775
it('should forward authorization headers when the request has a redirect from the same protocol/domain/port', function (done) {
5876

@@ -72,4 +90,22 @@ describe('Information Leak', function () {
7290
});
7391
});
7492

93+
it('should forward authorization headers when the request hasn\'t any redirect', function (done) {
94+
95+
request({
96+
url: 'https://httpbingo.org/bearer?test=hello',
97+
headers: {
98+
'Content-Type': 'application/json',
99+
'cookie': 'ajs_anonymous_id=1234567890',
100+
'authorization': 'Bearer eyJhb12345abcdef'
101+
}
102+
}, function (err, response, body) {
103+
t.deepEqual(body, {
104+
"authenticated": true,
105+
"token": "eyJhb12345abcdef"
106+
});
107+
done();
108+
});
109+
});
110+
75111
});

0 commit comments

Comments
 (0)