Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
[ Reason ]
node-got allows redirection to unix sockets (#1013264, CVE-2022-33987)
[ Impact ]
Medium vulnerability: a remote host can redirect a node-got request to a
Unix socket
[ Tests ]
Sadly test aren't enabled: ava was introduced earlier in Debian
[ Risks ]
Low risk:
* patch is trivial
* package is built from TypeScript, then tsc compiler checks for
a lot of errors
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Just reject URL starting with "unix:" if original request wasn't a
"unix:" request.
Note that I had to add a typescript change: one ignored error is no more
an error.
Regards,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 9cda1ef..a4bd358 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-got (11.8.1+~cs53.13.17-3+deb11u1) bullseye; urgency=medium
+
+ * Team upload
+ * Don't allow redirection to Unix socket (Closes: #1013264, CVE-2022-33987)
+
+ -- Yadd Wed, 29 Jun 2022 16:30:16 +0200
+
node-got (11.8.1+~cs53.13.17-3) unstable; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2022-33987.patch
b/debian/patches/CVE-2022-33987.patch
new file mode 100644
index 000..79c012f
--- /dev/null
+++ b/debian/patches/CVE-2022-33987.patch
@@ -0,0 +1,100 @@
+Description: Don't allow redirect to Unix socket
+Author: Sindre Sorhus
+Origin: upstream, https://github.com/sindresorhus/got/commit/bce8ce7d
+Bug: https://github.com/sindresorhus/got/pull/2047
+Bug-Debian: https://bugs.debian.org/1013264
+Forwarded: not-needed
+Reviewed-By: Yadd
+Last-Update: 2022-06-29
+
+--- a/source/core/index.ts
b/source/core/index.ts
+@@ -2102,6 +2102,16 @@
+ const redirectString = redirectUrl.toString();
+ decodeURI(redirectString);
+
++ // eslint-disable-next-line
no-inner-declarations
++ function isUnixSocketURL(url: URL) {
++ return url.protocol === 'unix:' ||
url.hostname === 'unix';
++ }
++
++ if (!isUnixSocketURL(url) &&
isUnixSocketURL(redirectUrl)) {
++ this._beforeError(new
RequestError('Cannot redirect to UNIX socket', {}, this));
++ return;
++ }
++
+ // Redirecting to a different site, clear
sensitive data.
+ if (redirectUrl.hostname !== url.hostname ||
redirectUrl.port !== url.port) {
+ if ('host' in options.headers) {
+--- a/test/redirects.ts
b/test/redirects.ts
+@@ -1,7 +1,7 @@
+ import test from 'ava';
+ import {Handler} from 'express';
+ import nock = require('nock');
+-import got, {MaxRedirectsError} from '../source';
++import got, {MaxRedirectsError, RequestError} from '../source';
+ import withServer, {withHttpsServer} from './helpers/with-server';
+
+ const reachedHandler: Handler = (_request, response) => {
+@@ -509,3 +509,32 @@
+ t.is(response.body, 'SERVER2');
+ });
+ });
++
++const unixProtocol: Handler = (_request, response) => {
++ response.writeHead(302, {
++ location: 'unix:/var/run/docker.sock:/containers/json'
++ });
++ response.end();
++};
++
++const unixHostname: Handler = (_request, response) => {
++ response.writeHead(302, {
++ location: 'http://unix:/var/run/docker.sock:/containers/json'
++ });
++ response.end();
++};
++
++test('cannot redirect to unix protocol', withServer, async (t, server, got)
=> {
++ server.get('/protocol', unixProtocol);
++ server.get('/hostname', unixHostname);
++
++ await t.throwsAsync(got('protocol'), {
++ message: 'Cannot redirect to UNIX socket',
++ instanceOf: RequestError
++ });
++
++ await t.throwsAsync(got('hostname'), {
++ message: 'Cannot redirect to UNIX socket',
++ instanceOf: RequestError
++ });
++});
+--- a/test/unix-socket.ts
b/test/unix-socket.ts
+@@ -8,6 +8,13 @@
+ response.end('ok');
+ };
+
++const redirectHandler: Handler = (_request, response) => {
++ response.writeHead(302, {
++ location: 'foo'
++ });
++ response.end();
++};
++
+ if (process.platform !== 'win32') {
+ test('works', withSocketServer, async (t, server) => {
+ server.on('/', okHandler);
+@@ -53,3 +60,11 @@
+ t.is((await got(url)).body, 'ok');
+ });
+ }
++
++test('redirects work', withSocketServer, async (t, server) => {
++ server.on('/',