Nick Gavalas created THRIFT-5710:
------------------------------------
Summary: NodeJS header transport leaks headers between all
instances
Key: THRIFT-5710
URL: https://issues.apache.org/jira/browse/THRIFT-5710
Project: Thrift
Issue Type: Bug
Components: Node.js - Library
Affects Versions: 0.18.0, 0.17.0, 0.16.0, 0.15.0, 0.14.0, 0.19.0
Environment: This repros in all environments using the nodejs library.
Reporter: Nick Gavalas
The header transport in `nodejs` has `TBufferTransport` and `TFramedTransport`
improper extending the `THeaderTransport` prototype. The intention was to use
`THeaderTransport` as an abstract base class and have concrete implementations
in the other transports. In reality, every instance of `TBufferTransport` and
`TFramedTransport` actually share a single instance of `THeaderTransport` being
used as the prototype, which means that they all share one object that stores
headers that every instance simultaneously mutates.
This leaks headers on both the read and the write paths:
* You can write incorrect headers to a transport that has written headers but
hasn't flushed yet. This is especially troubling if the headers are used for
auth, because you're able to mix up requests and auth as the wrong entity.
(i.e., if two requests set an `Auth` header).
* You can read headers from other requests. They only clobber each other if
they have the same name, but the union of all seen headers is returned in
{{getReadHeaders.}}
The fix is straightforward but urgent: the header functionality is completely
broken and a security risk to use in production.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
