Skip to content

Forbid Redirect Downgrade from HTTPS to HTTP #165

New issue
New issue
Closed
#173
Closed
Forbid Redirect Downgrade from HTTPS to HTTP#165
#173
Assignees
bryanmacfarlane
@JLLeitschuh

Description

@JLLeitschuh
JLLeitschuh
opened on Sep 25, 2019

Feature Request

If an HTTPS client request gets downgraded by a redirect to HTTP by some host in the redirect chain, users should have the option to forbid this downgrade in the configuration of the HttpClient.

Impacted Code

typed-rest-client/lib/HttpClient.ts

Lines 239 to 256 in c99dbbe

let redirectsRemaining: number = this._maxRedirects;
while (HttpRedirectCodes.indexOf(response.message.statusCode) != -1
&& this._allowRedirects
&& redirectsRemaining > 0) {
const redirectUrl: any = response.message.headers["location"];
if (!redirectUrl) {
// if there's no location to redirect to, we won't
break;
}
// we need to finish reading the response before reassigning response
// which will leak the open socket.
await response.readBody();
// let's make the request with the new redirectUrl
info = this._prepareRequest(verb, redirectUrl, headers);
response = await this.requestRaw(info, data);

There is no check to see if the new redirect location is a downgrade from HTTPS to HTTP.

While not strictly a security vulnerability, this does have security implications.

Use Case

The use case for this is the GitHub Actions toolkit API. See: actions/toolkit#162

The GitHub actions toolkit is used to download other tools using the downloadTool API. We'd like to require that users provide SHA-256 checksums for their artifacts if they end up using HTTP instead of HTTPS to prevent MITM attacks against the GH Actions supply chain.

This verification should also be required if somewhere in the redirect chain in downloading the tool, the request is downgraded from HTTPS to HTTP. Currently, the HttpClient doesn't support this sort of check.

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions