From 489f74342f76f4985acd57fe07324d4e51777858 Mon Sep 17 00:00:00 2001 From: ranjit-git Date: Tue, 18 Jan 2022 14:27:23 +0530 Subject: [PATCH] Bug fix: Thirdparty cookie leak --- index.js | 26 +++++++++----------------- 1 file changed, 9 insertions(+), 17 deletions(-) diff --git a/index.js b/index.js index 6d1e7ba..a650a2c 100644 --- a/index.js +++ b/index.js @@ -9,9 +9,6 @@ const once = require('once') const querystring = require('querystring') const url = require('url') -var flag=false -var original_host; - const isStream = o => o !== null && typeof o === 'object' && typeof o.pipe === 'function' function simpleGet (opts, cb) { @@ -37,13 +34,8 @@ function simpleGet (opts, cb) { opts.headers['content-type'] = 'application/x-www-form-urlencoded' } - //getting original host - if (!flag){ - original_host=opts.hostname - //console.log(original_host) - flag=true - } - + const ohost = opts.hostname + if (body) { if (!opts.method) opts.method = 'POST' if (!isStream(body)) opts.headers['content-length'] = Buffer.byteLength(body) @@ -61,13 +53,13 @@ function simpleGet (opts, cb) { delete opts.headers.host // Discard `host` header on redirect (see #32) res.resume() // Discard response - var redirect_host=url.parse(opts.url).hostname //getting redirected hostname - //if redirected host is different than original host then drop cookie header to prevent cookie leak in thirdparty site redirect - if(redirect_host !== null && redirect_host !== original_host){ - delete opts.headers.cookie; - delete opts.headers.authorization; - } - + const rhost = url.parse(opts.url).hostname // eslint-disable-line node/no-deprecated-api + // if redirected host is different than original host then drop cookie header to prevent cookie leak in thirdparty site redirect + if (rhost !== null && rhost !== ohost) { + delete opts.headers.cookie + delete opts.headers.authorization + } + if (opts.method === 'POST' && [301, 302].includes(res.statusCode)) { opts.method = 'GET' // On 301/302 redirect, change POST to GET (see #35) delete opts.headers['content-length']; delete opts.headers['content-type']