Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

utils/curl: fix headers check for protected urls #13198

Merged
merged 1 commit into from Apr 26, 2022
Merged

utils/curl: fix headers check for protected urls #13198

merged 1 commit into from Apr 26, 2022

Conversation

bayandin
Copy link
Member

@bayandin bayandin commented Apr 26, 2022
edited

  • Have you followed the guidelines in our Contributing document?
  • Have you checked to ensure there aren't other open Pull Requests for the same change?
  • Have you added an explanation of what your changes do and why you'd like us to include them?
  • Have you written new tests for your changes? Here's an example.
  • Have you successfully run brew style with your changes locally?
  • Have you successfully run brew typecheck with your changes locally?
  • Have you successfully run brew tests with your changes locally?

This PR fixes headers check in url_protected_by_cloudflare? and url_protected_by_incapsula?` methods.

$ brew audit linode-cli --online --git --skip-style --verbose
Error: undefined method `match?' for #<Hash:0x00007fd81a9de668>
Please report this issue:
  https://docs.brew.sh/Troubleshooting
/usr/local/Homebrew/Library/Homebrew/utils/curl.rb:205:in `url_protected_by_cloudflare?'
/usr/local/Homebrew/Library/Homebrew/utils/curl.rb:268:in `curl_check_http_content'
/usr/local/Homebrew/Library/Homebrew/formula_auditor.rb:469:in `audit_homepage'
/usr/local/Homebrew/Library/Homebrew/formula_auditor.rb:845:in `block in audit'
/usr/local/Homebrew/Library/Homebrew/formula_auditor.rb:840:in `each'
/usr/local/Homebrew/Library/Homebrew/formula_auditor.rb:840:in `audit'
/usr/local/Homebrew/Library/Homebrew/dev-cmd/audit.rb:196:in `block in audit'
/usr/local/Homebrew/Library/Homebrew/dev-cmd/audit.rb:180:in `to_h'
/usr/local/Homebrew/Library/Homebrew/dev-cmd/audit.rb:180:in `audit'
/usr/local/Homebrew/Library/Homebrew/brew.rb:110:in `<main>'

Spotted in Homebrew/homebrew-core#100147

@bayandin bayandin added the critical Critical change which should be shipped as soon as possible. label Apr 26, 2022
@BrewTestBot
Copy link
Member

Review period skipped due to critical label.

bayandin
bayandin commented Apr 26, 2022
View reviewed changes
Library/Homebrew/utils/curl.rb Outdated
Comment on lines 213 to 214
details[:status].to_i == 403 &&
details[:headers].match?(/^Set-Cookie: visid_incap_/i) &&
details[:headers].match?(/^Set-Cookie: incap_ses_/i)
details[:headers].fetch("set-cookie", "").match?(/visid_incap_|incap_ses_/i)
Copy link
Member Author

@bayandin bayandin Apr 26, 2022
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've changed the logic here because the same header won't satisfy both /^Set-Cookie: visid_incap_/i and /^Set-Cookie: incap_ses_/i (I assume that details[:headers] is a regular hash that can't contain several values with the same key, and we got string values here).

/cc @samford

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the fix!

At the moment, headers from #parse_curl_output only include the last instance of a given header (i.e., an earlier header will be overwritten by a later header). :headers was just a string before (i.e., the entire header text from a response in curl output), so this previously checked all instances of a given header in a response.

There can be multiple Set-Cookie headers in a response, so we'll need to modify #parse_curl_output to properly handle multiple instances of a header. The simplest route would be to collect values in an array when a header appears more than once (I've seen this done in some libraries). We will have to update logic that accesses the value (e.g., the methods in this PR) to handle a potential string or array value but there's no good way around that (i.e., concatenating values from multiple headers into one string can lead to problems).

I'll tinker with this a bit (later today) and try to get a PR up.

MikeMcQuaid
MikeMcQuaid approved these changes Apr 26, 2022
View reviewed changes
Copy link
Member

@MikeMcQuaid MikeMcQuaid left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @bayandin! Change looks good, optional style tweak which you can decline if desired.

Library/Homebrew/utils/curl.rb Outdated Show resolved Hide resolved
Library/Homebrew/utils/curl.rb Outdated Show resolved Hide resolved
@MikeMcQuaid MikeMcQuaid merged commit 3c73ac4 into Homebrew:master Apr 26, 2022
@bayandin bayandin deleted the fix-headers-check branch April 26, 2022 12:59
@samford samford mentioned this pull request May 3, 2022
Merged
7 tasks
@github-actions github-actions bot added the outdated PR was locked due to age label May 27, 2022
@github-actions github-actions bot locked as resolved and limited conversation to collaborators May 27, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@samford samford samford left review comments

@MikeMcQuaid MikeMcQuaid MikeMcQuaid approved these changes

@BrewTestBot BrewTestBot BrewTestBot approved these changes

Assignees
No one assigned
Labels
critical Critical change which should be shipped as soon as possible. outdated PR was locked due to age
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@bayandin @BrewTestBot @MikeMcQuaid @samford