Destroy socket on failure to CONNECT (avoids TLS risk)

[kadler15]

Vulnerability reference: https://hackerone.com/reports/541502

Unfortunately, this results in the loss of proxy error playback for client-side error handling added in ae03c68

Other parts of the proxy error playback machinery can be removed in the future.

[astormnewrelic]

@TooTallNate Nate, hello there! Nice to GitHub meet you.

Do you think you'll be accepting or considering this PR for acceptance?

If not, do you think you'll be taking any steps to address the security bulletin that indicated there's a potential security bug in this repo? https://hackerone.com/reports/541502

Asking because a lot of the downstream security products have picked up this report, which in turn is flagging our package (which uses http-proxy-agent as a dependency) as potentially unsafe.

No worries if not -- I know how unpaid open source work can go -- but knowing what the plans are would help us decide what we need to do for our own package(s).

[TooTallNate]

Hey @kadler15 @astormnewrelic. Thanks for reaching out. I have proposed an alternative solution in #77, which doesn't end up altering the API (the replay still happens, but it's "synthetic" now). Please take a look and let me know if that adequately fixes the vulnerability. Cheers!

[astormnewrelic]

Nice! Thank you @TooTallNate -- as to whether #77 is an appropriate fix or not, I don't know. I'm just a programmer at the whim of security products.

@kadler15 is seems like you're familiar with the hackerone organization who made the original report. Do you know how/why/if they have "yo this is patched in the core product now" reports and/or how all that works?

[kadler15]

@astormnewrelic I'll double check these changes today. @TooTallNate Your changes seem like a great way to preserve the current API while closing the vulnerability. Nice work!

[kadler15]

Closing in favor of #77