nodejs-hawk/CVE-2022-29167.patch

From ade134119bf1fdc4909d00f5a952c966f0075ad3 Mon Sep 17 00:00:00 2001
From: Yaraslau Kurmyza <yarik@mozilla.com>
Date: Mon, 2 May 2022 13:47:12 +0200
Subject: [PATCH] Parse URLs using stdlib

---
 lib/utils.js   | 22 ++++++++++++----------
 test/server.js | 14 ++++++++++++++
 test/utils.js  |  6 +++---
 3 files changed, 29 insertions(+), 13 deletions(-)

diff --git a/lib/utils.js b/lib/utils.js
index 60d8219..a2a3094 100644
--- a/lib/utils.js
+++ b/lib/utils.js
@@ -4,6 +4,7 @@
 
 const Sntp = require('sntp');
 const Boom = require('boom');
+const Url = require('url');
 
 
 // Declare internals
@@ -22,12 +23,6 @@ exports.limits = {
 };
 
 
-// Extract host and port from request
-
-//                                            $1                            $2
-internals.hostHeaderRegex = /^(?:(?:\r\n)?\s)*((?:[^:]+)|(?:\[[^\]]+\]))(?::(\d+))?(?:(?:\r\n)?\s)*$/;              // (IPv4, hostname)|(IPv6)
-
-
 exports.parseHost = function (req, hostHeaderName) {
 
     hostHeaderName = (hostHeaderName ? hostHeaderName.toLowerCase() : 'host');
@@ -40,14 +35,21 @@ exports.parseHost = function (req, hostHeaderName) {
         return null;
     }
 
-    const hostParts = hostHeader.match(internals.hostHeaderRegex);
-    if (!hostParts) {
+    if (hostHeader.indexOf('/') !== -1) {
         return null;
     }
 
+    let uri;
+    try {
+	uri = new Url.URL('http://' + hostHeader);
+    }
+    catch (err) {
+	return null;
+    }
+
     return {
-        name: hostParts[1],
-        port: (hostParts[2] ? hostParts[2] : (req.connection && req.connection.encrypted ? 443 : 80))
+	name: uri.hostname,
+	port: (uri.port ? uri.port : (req.connection && req.connection.encrypted ? 443 : 80))
     };
 };
 
diff --git a/test/server.js b/test/server.js
index 39e66e6..3ef23d6 100755
--- a/test/server.js
+++ b/test/server.js
@@ -551,6 +551,20 @@ describe('Server', () => {
             });
         });
 
+	it('errors on an bad host header (includes path and query)', async () => {
+
+	     const req = {
+		 method: 'GET',
+		 url: '/resource/4?filter=a',
+		 headers: {
+		     host: 'example.com:8080/path?x=z',
+		     authorization: 'Hawk'
+		 }
+	     };
+
+	     await expect(Hawk.server.authenticate(req, credentialsFunc, { localtimeOffsetMsec: 1353788437000 - Hawk.utils.now() })).to.reject('Invalid Host header');
+	});
+
         it('errors on an bad host header (pad port)', (done) => {
 
             const req = {
diff --git a/test/utils.js b/test/utils.js
index 6182609..98f2422 100755
--- a/test/utils.js
+++ b/test/utils.js
@@ -64,7 +64,7 @@ describe('Utils', () => {
                 method: 'POST',
                 url: '/resource/4?filter=a',
                 headers: {
-                    host: '[123:123:123]',
+		    host: '[123:123::123]',
                     'content-type': 'text/plain;x=y'
                 },
                 connection: {
@@ -82,7 +82,7 @@ describe('Utils', () => {
                 method: 'POST',
                 url: '/resource/4?filter=a',
                 headers: {
-                    host: '[123:123:123]:8000',
+			host: '[123:123::123]:8000',
                     'content-type': 'text/plain;x=y'
                 },
                 connection: {
@@ -92,7 +92,7 @@ describe('Utils', () => {
 
             const host = Hawk.utils.parseHost(req, 'Host');
             expect(host.port).to.equal('8000');
-            expect(host.name).to.equal('[123:123:123]');
+            expect(host.name).to.equal('[123:123::123]');
             done();
         });
 
-- 
2.23.0
Fix CVE-2022-29167 2022-05-17 10:47:58 +08:00			`From ade134119bf1fdc4909d00f5a952c966f0075ad3 Mon Sep 17 00:00:00 2001`
			`From: Yaraslau Kurmyza <yarik@mozilla.com>`
			`Date: Mon, 2 May 2022 13:47:12 +0200`
			`Subject: [PATCH] Parse URLs using stdlib`

			`---`
			`lib/utils.js \| 22 ++++++++++++----------`
			`test/server.js \| 14 ++++++++++++++`
			`test/utils.js \| 6 +++---`
			`3 files changed, 29 insertions(+), 13 deletions(-)`

			`diff --git a/lib/utils.js b/lib/utils.js`
			`index 60d8219..a2a3094 100644`
			`--- a/lib/utils.js`
			`+++ b/lib/utils.js`
			`@@ -4,6 +4,7 @@`

			`const Sntp = require('sntp');`
			`const Boom = require('boom');`
			`+const Url = require('url');`


			`// Declare internals`
			`@@ -22,12 +23,6 @@ exports.limits = {`
			`};`


			`-// Extract host and port from request`
			`-`
			`-// $1 $2`
			`-internals.hostHeaderRegex = /^(?:(?:\r\n)?\s)((?:[^:]+)\|(?:\[[^\]]+\]))(?::(\d+))?(?:(?:\r\n)?\s)$/; // (IPv4, hostname)\|(IPv6)`
			`-`
			`-`
			`exports.parseHost = function (req, hostHeaderName) {`

			`hostHeaderName = (hostHeaderName ? hostHeaderName.toLowerCase() : 'host');`
			`@@ -40,14 +35,21 @@ exports.parseHost = function (req, hostHeaderName) {`
			`return null;`
			`}`

			`- const hostParts = hostHeader.match(internals.hostHeaderRegex);`
			`- if (!hostParts) {`
			`+ if (hostHeader.indexOf('/') !== -1) {`
			`return null;`
			`}`

			`+ let uri;`
			`+ try {`
			`+ uri = new Url.URL('http://' + hostHeader);`
			`+ }`
			`+ catch (err) {`
			`+ return null;`
			`+ }`
			`+`
			`return {`
			`- name: hostParts[1],`
			`- port: (hostParts[2] ? hostParts[2] : (req.connection && req.connection.encrypted ? 443 : 80))`
			`+ name: uri.hostname,`
			`+ port: (uri.port ? uri.port : (req.connection && req.connection.encrypted ? 443 : 80))`
			`};`
			`};`

			`diff --git a/test/server.js b/test/server.js`
			`index 39e66e6..3ef23d6 100755`
			`--- a/test/server.js`
			`+++ b/test/server.js`
			`@@ -551,6 +551,20 @@ describe('Server', () => {`
			`});`
			`});`

			`+ it('errors on an bad host header (includes path and query)', async () => {`
			`+`
			`+ const req = {`
			`+ method: 'GET',`
			`+ url: '/resource/4?filter=a',`
			`+ headers: {`
			`+ host: 'example.com:8080/path?x=z',`
			`+ authorization: 'Hawk'`
			`+ }`
			`+ };`
			`+`
			`+ await expect(Hawk.server.authenticate(req, credentialsFunc, { localtimeOffsetMsec: 1353788437000 - Hawk.utils.now() })).to.reject('Invalid Host header');`
			`+ });`
			`+`
			`it('errors on an bad host header (pad port)', (done) => {`

			`const req = {`
			`diff --git a/test/utils.js b/test/utils.js`
			`index 6182609..98f2422 100755`
			`--- a/test/utils.js`
			`+++ b/test/utils.js`
			`@@ -64,7 +64,7 @@ describe('Utils', () => {`
			`method: 'POST',`
			`url: '/resource/4?filter=a',`
			`headers: {`
			`- host: '[123:123:123]',`
			`+ host: '[123:123::123]',`
			`'content-type': 'text/plain;x=y'`
			`},`
			`connection: {`
			`@@ -82,7 +82,7 @@ describe('Utils', () => {`
			`method: 'POST',`
			`url: '/resource/4?filter=a',`
			`headers: {`
			`- host: '[123:123:123]:8000',`
			`+ host: '[123:123::123]:8000',`
			`'content-type': 'text/plain;x=y'`
			`},`
			`connection: {`
			`@@ -92,7 +92,7 @@ describe('Utils', () => {`

			`const host = Hawk.utils.parseHost(req, 'Host');`
			`expect(host.port).to.equal('8000');`
			`- expect(host.name).to.equal('[123:123:123]');`
			`+ expect(host.name).to.equal('[123:123::123]');`
			`done();`
			`});`

			`--`
			`2.23.0`