packages/nodejs-hawk
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Package upgrade

Browse Source
This commit is contained in:
houyingchao 2022-06-30 16:24:37 +08:00
parent 192c9d5c3b
commit 19464d7f30
4 changed files with 12 additions and 133 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

121
CVE-2022-29167.patch
View File

@ -1,121 +0,0 @@
From ade134119bf1fdc4909d00f5a952c966f0075ad3 Mon Sep 17 00:00:00 2001
From: Yaraslau Kurmyza <yarik@mozilla.com>
Date: Mon, 2 May 2022 13:47:12 +0200
Subject: [PATCH] Parse URLs using stdlib
---
lib/utils.js | 22 ++++++++++++----------
test/server.js | 14 ++++++++++++++
test/utils.js | 6 +++---
3 files changed, 29 insertions(+), 13 deletions(-)
diff --git a/lib/utils.js b/lib/utils.js
index 60d8219..a2a3094 100644
--- a/lib/utils.js
+++ b/lib/utils.js
@@ -4,6 +4,7 @@
const Sntp = require('sntp');
const Boom = require('boom');
+const Url = require('url');
// Declare internals
@@ -22,12 +23,6 @@ exports.limits = {
};
-// Extract host and port from request
-
-// $1 $2
-internals.hostHeaderRegex = /^(?:(?:\r\n)?\s)*((?:[^:]+)|(?:\[[^\]]+\]))(?::(\d+))?(?:(?:\r\n)?\s)*$/; // (IPv4, hostname)|(IPv6)
-
-
exports.parseHost = function (req, hostHeaderName) {
hostHeaderName = (hostHeaderName ? hostHeaderName.toLowerCase() : 'host');
@@ -40,14 +35,21 @@ exports.parseHost = function (req, hostHeaderName) {
return null;
}
- const hostParts = hostHeader.match(internals.hostHeaderRegex);
- if (!hostParts) {
+ if (hostHeader.indexOf('/') !== -1) {
return null;
}
+ let uri;
+ try {
+ uri = new Url.URL('http://' + hostHeader);
+ }
+ catch (err) {
+ return null;
+ }
+
return {
- name: hostParts[1],
- port: (hostParts[2] ? hostParts[2] : (req.connection && req.connection.encrypted ? 443 : 80))
+ name: uri.hostname,
+ port: (uri.port ? uri.port : (req.connection && req.connection.encrypted ? 443 : 80))
};
};
diff --git a/test/server.js b/test/server.js
index 39e66e6..3ef23d6 100755
--- a/test/server.js
+++ b/test/server.js
@@ -551,6 +551,20 @@ describe('Server', () => {
});
});
+ it('errors on an bad host header (includes path and query)', async () => {
+
+ const req = {
+ method: 'GET',
+ url: '/resource/4?filter=a',
+ headers: {
+ host: 'example.com:8080/path?x=z',
+ authorization: 'Hawk'
+ }
+ };
+
+ await expect(Hawk.server.authenticate(req, credentialsFunc, { localtimeOffsetMsec: 1353788437000 - Hawk.utils.now() })).to.reject('Invalid Host header');
+ });
+
it('errors on an bad host header (pad port)', (done) => {
const req = {
diff --git a/test/utils.js b/test/utils.js
index 6182609..98f2422 100755
--- a/test/utils.js
+++ b/test/utils.js
@@ -64,7 +64,7 @@ describe('Utils', () => {
method: 'POST',
url: '/resource/4?filter=a',
headers: {
- host: '[123:123:123]',
+ host: '[123:123::123]',
'content-type': 'text/plain;x=y'
},
connection: {
@@ -82,7 +82,7 @@ describe('Utils', () => {
method: 'POST',
url: '/resource/4?filter=a',
headers: {
- host: '[123:123:123]:8000',
+ host: '[123:123::123]:8000',
'content-type': 'text/plain;x=y'
},
connection: {
@@ -92,7 +92,7 @@ describe('Utils', () => {
const host = Hawk.utils.parseHost(req, 'Host');
expect(host.port).to.equal('8000');
- expect(host.name).to.equal('[123:123:123]');
+ expect(host.name).to.equal('[123:123::123]');
done();
});
--
2.23.0

BIN
hawk-4.1.2.tgz
View File

Binary file not shown.

BIN
hawk-9.0.1.tgz Normal file
View File

Binary file not shown.

24
nodejs-hawk.spec
View File

@ -1,15 +1,14 @@
%global enable_tests 0 %global enable_tests 0
Name: nodejs-hawk Name: nodejs-hawk
Version: 4.1.2 Version: 9.0.1
Release: 3 Release: 1
Summary: HTTP Hawk authentication scheme Summary: HTTP Hawk authentication scheme
License: BSD-3-Clause License: BSD-3-Clause
URL: https://github.com/hueniverse/hawk URL: https://github.com/hueniverse/hawk
Source0: https://registry.npmjs.org/hawk/-/hawk-%{version}.tgz Source0: https://registry.npmjs.org/hawk/-/hawk-%{version}.tgz
Patch0: CVE-2022-29167.patch
BuildArch: noarch BuildArch: noarch
ExclusiveArch: %{nodejs_arches} noarch ExclusiveArch: %{nodejs_arches} noarch
BuildRequires: nodejs-packaging npm(boom) npm(cryptiles) npm(hoek) npm(sntp) BuildRequires: nodejs-packaging
%if 0%{?enable_tests} %if 0%{?enable_tests}
BuildRequires: npm(lab) npm(code) BuildRequires: npm(lab) npm(code)
%endif %endif
@ -19,12 +18,12 @@ algorithm to provide partial HTTP request cryptographic verification.
%prep %prep
%autosetup -n package -p1 %autosetup -n package -p1
%nodejs_fixdep cryptiles "^2.0.5" %nodejs_fixdep -r @hapi/b64
%nodejs_fixdep boom "^2.10.1" %nodejs_fixdep -r @hapi/boom
%nodejs_fixdep hoek "^0.9.1" %nodejs_fixdep -r @hapi/cryptiles
chmod a-x README.md LICENSE package.json client.js example/* images/* lib/* %nodejs_fixdep -r @hapi/hoek
chmod a-x README.md package.json lib/*
sed -i 's/\r$//' README.md sed -i 's/\r$//' README.md
sed -i 's/\r$//' example/usage.js
%build %build
@ -35,17 +34,18 @@ cp -pr package.json lib %{buildroot}%{nodejs_sitelib}/hawk
%check %check
%nodejs_symlink_deps --check %nodejs_symlink_deps --check
%__nodejs -e "require('./')"
%if 0%{?enable_tests} %if 0%{?enable_tests}
%{nodejs_sitelib}/lab/bin/lab -a code -t 100 -L %{nodejs_sitelib}/lab/bin/lab -a code -t 100 -L
%endif %endif
%files %files
%doc README.md example images %doc README.md
%license LICENSE
%{nodejs_sitelib}/hawk %{nodejs_sitelib}/hawk
%changelog %changelog
* Thu Jun 30 2022 houyingchao <houyingchao@h-partners.com> - 9.0.1-1
- Upgrade to 9.0.1
* Tue May 17 2022 houyingchao <houyingchao@h-partners.com> - 4.1.2-3 * Tue May 17 2022 houyingchao <houyingchao@h-partners.com> - 4.1.2-3
- Fix CVE-2022-29167 - Fix CVE-2022-29167