Processed: Re: Bug#1014054: bullseye-pu: package node-got/11.8.1+~cs53.13.17-3+deb11u1

2022-06-29 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 + confirmed
Bug #1014054 [release.debian.org] bullseye-pu: package 
node-got/11.8.1+~cs53.13.17-3+deb11u1
Added tag(s) confirmed.

-- 
1014054: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014054
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1014054: bullseye-pu: package node-got/11.8.1+~cs53.13.17-3+deb11u1

2022-06-29 Thread Adam D. Barratt 
Control: tags -1 + confirmed

On Wed, 2022-06-29 at 16:32 +0200, Yadd wrote:
> [ Reason ]
> node-got allows redirection to unix sockets (#1013264, CVE-2022-
> 33987)
> 
> [ Impact ]
> Medium vulnerability: a remote host can redirect a node-got request
> to a
> Unix socket
> 

Please go ahead.

Regards,

Adam

Bug#1014054: bullseye-pu: package node-got/11.8.1+~cs53.13.17-3+deb11u1

2022-06-29 Thread Yadd 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu

[ Reason ]
node-got allows redirection to unix sockets (#1013264, CVE-2022-33987)

[ Impact ]
Medium vulnerability: a remote host can redirect a node-got request to a
Unix socket

[ Tests ]
Sadly test aren't enabled: ava was introduced earlier in Debian

[ Risks ]
Low risk:
 * patch is trivial
 * package is built from TypeScript, then tsc compiler checks for
   a lot of errors

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Just reject URL starting with "unix:" if original request wasn't a
"unix:" request.

Note that I had to add a typescript change: one ignored error is no more
an error.

Regards,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 9cda1ef..a4bd358 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-got (11.8.1+~cs53.13.17-3+deb11u1) bullseye; urgency=medium
+
+  * Team upload
+  * Don't allow redirection to Unix socket (Closes: #1013264, CVE-2022-33987)
+
+ -- Yadd   Wed, 29 Jun 2022 16:30:16 +0200
+
 node-got (11.8.1+~cs53.13.17-3) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2022-33987.patch 
b/debian/patches/CVE-2022-33987.patch
new file mode 100644
index 000..79c012f
--- /dev/null
+++ b/debian/patches/CVE-2022-33987.patch
@@ -0,0 +1,100 @@
+Description: Don't allow redirect to Unix socket
+Author: Sindre Sorhus 
+Origin: upstream, https://github.com/sindresorhus/got/commit/bce8ce7d
+Bug: https://github.com/sindresorhus/got/pull/2047
+Bug-Debian: https://bugs.debian.org/1013264
+Forwarded: not-needed
+Reviewed-By: Yadd 
+Last-Update: 2022-06-29
+
+--- a/source/core/index.ts
 b/source/core/index.ts
+@@ -2102,6 +2102,16 @@
+   const redirectString = redirectUrl.toString();
+   decodeURI(redirectString);
+ 
++  // eslint-disable-next-line 
no-inner-declarations
++  function isUnixSocketURL(url: URL) {
++  return url.protocol === 'unix:' || 
url.hostname === 'unix';
++  }
++
++  if (!isUnixSocketURL(url) && 
isUnixSocketURL(redirectUrl)) {
++  this._beforeError(new 
RequestError('Cannot redirect to UNIX socket', {}, this));
++  return;
++  }
++
+   // Redirecting to a different site, clear 
sensitive data.
+   if (redirectUrl.hostname !== url.hostname || 
redirectUrl.port !== url.port) {
+   if ('host' in options.headers) {
+--- a/test/redirects.ts
 b/test/redirects.ts
+@@ -1,7 +1,7 @@
+ import test from 'ava';
+ import {Handler} from 'express';
+ import nock = require('nock');
+-import got, {MaxRedirectsError} from '../source';
++import got, {MaxRedirectsError, RequestError} from '../source';
+ import withServer, {withHttpsServer} from './helpers/with-server';
+ 
+ const reachedHandler: Handler = (_request, response) => {
+@@ -509,3 +509,32 @@
+   t.is(response.body, 'SERVER2');
+   });
+ });
++
++const unixProtocol: Handler = (_request, response) => {
++  response.writeHead(302, {
++  location: 'unix:/var/run/docker.sock:/containers/json'
++  });
++  response.end();
++};
++
++const unixHostname: Handler = (_request, response) => {
++  response.writeHead(302, {
++  location: 'http://unix:/var/run/docker.sock:/containers/json'
++  });
++  response.end();
++};
++
++test('cannot redirect to unix protocol', withServer, async (t, server, got) 
=> {
++  server.get('/protocol', unixProtocol);
++  server.get('/hostname', unixHostname);
++
++  await t.throwsAsync(got('protocol'), {
++  message: 'Cannot redirect to UNIX socket',
++  instanceOf: RequestError
++  });
++
++  await t.throwsAsync(got('hostname'), {
++  message: 'Cannot redirect to UNIX socket',
++  instanceOf: RequestError
++  });
++});
+--- a/test/unix-socket.ts
 b/test/unix-socket.ts
+@@ -8,6 +8,13 @@
+   response.end('ok');
+ };
+ 
++const redirectHandler: Handler = (_request, response) => {
++  response.writeHead(302, {
++  location: 'foo'
++  });
++  response.end();
++};
++
+ if (process.platform !== 'win32') {
+   test('works', withSocketServer, async (t, server) => {
+   server.on('/', okHandler);
+@@ -53,3 +60,11 @@
+   t.is((await got(url)).body, 'ok');
+   });
+ }
++
++test('redirects work', withSocketServer, async (t, server) => {
++  server.on('/',