[jira] [Commented] (THRIFT-5710) NodeJS header transport leaks headers between all instances

Fri, 12 May 2023 08:04:06 -0700 


    [ 
https://issues.apache.org/jira/browse/THRIFT-5710?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17722204#comment-17722204
 ] 

Nick Gavalas commented on THRIFT-5710:
--------------------------------------

I put up [https://github.com/apache/thrift/pull/2805] as a proposed fix. Check 
out the test cases for an idea of how bad this one is.

> NodeJS header transport leaks headers between all instances
> -----------------------------------------------------------
>
>                 Key: THRIFT-5710
>                 URL: https://issues.apache.org/jira/browse/THRIFT-5710
>             Project: Thrift
>          Issue Type: Bug
>          Components: Node.js - Library
>    Affects Versions: 0.14.0, 0.15.0, 0.16.0, 0.17.0, 0.18.0, 0.19.0
>         Environment: This repros in all environments using the nodejs library.
>            Reporter: Nick Gavalas
>            Priority: Critical
>              Labels: bug, headers, vulnerability
>   Original Estimate: 24h
>  Remaining Estimate: 24h
>
> The header transport in `nodejs` has `TBufferTransport` and 
> `TFramedTransport` improper extending the `THeaderTransport` prototype. The 
> intention was to use `THeaderTransport` as an abstract base class and have 
> concrete implementations in the other transports. In reality, every instance 
> of `TBufferTransport` and `TFramedTransport` actually share a single instance 
> of `THeaderTransport` being used as the prototype, which means that they all 
> share one object that stores headers that every instance simultaneously 
> mutates.
>  
> This leaks headers on both the read and the write paths: 
>  * You can write incorrect headers to a transport that has written headers 
> but hasn't flushed yet. This is especially troubling if the headers are used 
> for auth, because you're able to mix up requests and auth as the wrong 
> entity. (i.e., if two requests set an `Auth` header).
>  * You can read headers from other requests. They only clobber each other if 
> they have the same name, but the union of all seen headers is returned in 
> {{getReadHeaders.}}
>  
> The fix is straightforward but urgent: the header functionality is completely 
> broken and a security risk to use in production.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to