New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix remote memory disclosure with multipart attachments #2018
Conversation
For the record, I'm sharing this here for the first time since this doesn't seem particularly easy to exploit. That said, it's still probably a good idea to release a fix in a timely manner. |
Thanks I've added your commit here #2022 + a test case. |
It still looks like a much better idea to send those over emails. Can I have a chat with you on IRC or Gitter? |
@feross I know of at least one npm module that reads config from a JSON file and sends a multipart request using typed value from that config as the raw |
Vulnerable range: self.body += '\r\n' + body + '\r\n'
})
self.body += '--frontier--'
}
if (self.body) {
if (!Buffer.isBuffer(self.body)) {
self.body = new Buffer(self.body)
} |
I just found out that relevant and widespread softwares are still impacted:
I think that it should be important to inform better the users around issues like this. |
@evilaliv3 |
This update is to address a security vulnerability allowing potential remote memory exposure on request<=2.68 Details: - https://snyk.io/vuln/npm:request:20160119 - request/request#2018
… remote memory exposure on request<=2.68 Details: - https://snyk.io/vuln/npm:request:20160119 - request/request#2018
This update is to address a security vulnerability allowing potential remote memory exposure on request<=2.68 Details: - https://snyk.io/vuln/npm:request:20160119 - request/request#2018
This update is to address a security vulnerability allowing potential remote memory exposure on request<=2.68 Details: - https://snyk.io/vuln/npm:request:20160119 - request/request#2018
This update is to address a security vulnerability allowing potential remote memory exposure on request<=2.68 Details: - https://snyk.io/vuln/npm:request:20160119 - request/request#2018
If the node process makes a request with a multipart attachment, and the type of the
body
option is aNumber
, then that many bytes of uninitialized memory will be sent in the body of the request. Here's an example:And here's a more complete reproducible example:
This PR fixes the issue by coercing the type of the
body
option to a string. (An alternate solution would be to throw an exception in this case.)Further reading: