Headers are forwarded when the URL redirects to another domain and should not be (information leak)

[JamieSlome]

Hey there!

I belong to an open source security research community, and a member (@Sampaguitas) has found an issue, but doesn’t know the best way to disclose it.

If not a hassle, might you kindly add a SECURITY.md file with an email, or another contact method? GitHub recommends this best practice to ensure security issues are responsibly disclosed, and it would serve as a simple instruction for security researchers in the future.

Thank you for your consideration, and I look forward to hearing from you!

(cc @huntr-helper)

[FGRibreau]

Hello Jamie :)

Got the link through email, due to the low criticity of the bug, I'm open to a PR to fix it :)

[Sampaguitas]

Merci @FGRibreau :)

I'll prepare the fix and submit the PR as soon as I get back from work.

Shall I reduce the CVSS score on Huntr.dev portal?

With best regards,

Timothee

[JamieSlome]

@FGRibreau - great 👍

@Sampaguitas / @FGRibreau - let me know if there is anything I can do to support 😄

EDIT:
Just adding the report related to this issue for reference:
https://huntr.dev/bounties/a779faf5-c2cc-48be-a31d-4ddfac357afc/

[Sampaguitas]

Hi @FGRibreau, @JamieSlome,

The PR has been submitted :

HEAD...sampaguitas:master

I would appreciate if you could validate the finding & fix on hunter.dev:

https://huntr.dev/bounties/a779faf5-c2cc-48be-a31d-4ddfac357afc/

Have a nice day,

Timothee

[FGRibreau]

@Sampaguitas could you please open PR so I can merge it ? https://github.com/FGRibreau/node-request-retry/compare :)

Here is some help

[Sampaguitas]

Hi @FGRibreau, I have open the PR

[FGRibreau]

Fixed and released in v7.0.0 (since it might break things for some people)

[JamieSlome]

Thanks for the support and contributions @FGRibreau @Sampaguitas!

I have confirmed the fix against the report 👍

[curtispd]

This has caused a serious regression for us, please see: #140

[Sampaguitas]

Hi @curtispd, see response here.