Use an EventEmitter to replay failed proxy connect HTTP requests
#77
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This is a fix for https://hackerone.com/reports/541502. Aborts the upstream proxy connection and instead uses a vanilla `EventEmitter` instance to replay the "data" events on to. This way, the node core `http` Client doesn't attempt to write the HTTP request that is intended to go to the destination server to the proxy server. Closes #76.
TooTallNate
force-pushed
the
fix/hackerone.com/reports/541502
branch
from
8df8813 to
d9eb617
Compare
mastermatt
approved these changes
Oct 7, 2019
|
Tested. Looks good!
|
|
Thanks for the review. Published as v3.0.0. |
This was referenced Oct 9, 2019
TooTallNate
pushed a commit
to TooTallNate/node-pac-proxy-agent
that referenced
this pull request
Oct 15, 2019
Fixes a MitM vulnerability in the module. See: TooTallNate/proxy-agents#77
TooTallNate
pushed a commit
to TooTallNate/node-proxy-agent
that referenced
this pull request
Oct 15, 2019
Fixes a MitM vulnerability in the module. See: TooTallNate/proxy-agents#77
feelepxyz
added a commit
to feelepxyz/security-wg
that referenced
this pull request
Nov 18, 2019
It looks like this vulnerability is now patched in version 2.2.3: https://github.com/TooTallNate/node-https-proxy-agent/releases/tag/2.2.3 Fixed in PR: TooTallNate/proxy-agents#77
MarcinHoppe
pushed a commit
to nodejs/security-wg
that referenced
this pull request
Nov 18, 2019
It looks like this vulnerability is now patched in version 2.2.3: https://github.com/TooTallNate/node-https-proxy-agent/releases/tag/2.2.3 Fixed in PR: TooTallNate/proxy-agents#77
This was referenced Mar 9, 2021
This was referenced Mar 12, 2021
Bump https-proxy-agent from 2.2.2 to 2.2.4 in /client
PolaricEntropy/UnrealScript-Language-Service#1
Closed
patrickm68
added a commit
to patrickm68/security-wg-process
that referenced
this pull request
Sep 14, 2023
It looks like this vulnerability is now patched in version 2.2.3: https://github.com/TooTallNate/node-https-proxy-agent/releases/tag/2.2.3 Fixed in PR: TooTallNate/proxy-agents#77
mattstern31
added a commit
to mattstern31/security-wg-process
that referenced
this pull request
Nov 11, 2023
It looks like this vulnerability is now patched in version 2.2.3: https://github.com/TooTallNate/node-https-proxy-agent/releases/tag/2.2.3 Fixed in PR: TooTallNate/proxy-agents#77
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is a fix for https://hackerone.com/reports/541502.
Aborts the upstream proxy connection and instead uses a vanilla
EventEmitterinstance to replay the "data" events on to. This way, the node corehttpClient doesn't attempt to write the HTTP request that is intended to go to the destination server to the proxy server.Closes #76.
Fixes #78.