-
Notifications
You must be signed in to change notification settings - Fork 3.7k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
65ab7d5
commit 395914f
Showing
7 changed files
with
148 additions
and
106 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
# Security Policy | ||
|
||
## Reporting a Vulnerability | ||
|
||
To report a vulnerability, please send an email to `security@httpie.io` describing the: | ||
|
||
- The description of the vulnerability itself | ||
- A short reproducer to verify it (you can submit a small HTTP server, a shell script, a docker image etc.) | ||
- The severity level classification (`LOW`/`MEDIUM`/`HIGH`/`CRITICAL`) | ||
- If associated with any, the [CWE](https://cwe.mitre.org/) ID. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,103 @@ | ||
import argparse | ||
from typing import Any, Type, List, Dict, TYPE_CHECKING | ||
|
||
if TYPE_CHECKING: | ||
from httpie.sessions import Session | ||
|
||
INSECURE_COOKIE_JAR_WARNING = '''\ | ||
Outdated layout detected for the current session. Please consider updating it, | ||
in order to not get affected by potential security problems. | ||
For fixing the current session: | ||
With binding all cookies to the current host (secure): | ||
$ httpie cli sessions upgrade --bind-cookies {hostname} {session_id} | ||
Without binding cookies (leaving them as is) (insecure): | ||
$ httpie cli sessions upgrade {hostname} {session_id} | ||
''' | ||
|
||
|
||
INSECURE_COOKIE_JAR_WARNING_FOR_NAMED_SESSIONS = '''\ | ||
For fixing all named sessions: | ||
With binding all cookies to the current host (secure): | ||
$ httpie cli sessions upgrade-all --bind-cookies | ||
Without binding cookies (leaving them as is) (insecure): | ||
$ httpie cli sessions upgrade-all | ||
''' | ||
|
||
INSECURE_COOKIE_SECURITY_LINK = '\nSee https://pie.co/docs/security for more information.' | ||
|
||
|
||
def pre_process(session: 'Session', cookies: Any) -> List[Dict[str, Any]]: | ||
"""Load the given cookies to the cookie jar while maintaining | ||
support for the old cookie layout.""" | ||
|
||
is_old_style = isinstance(cookies, dict) | ||
if is_old_style: | ||
normalized_cookies = [ | ||
{ | ||
'name': key, | ||
**value | ||
} | ||
for key, value in cookies.items() | ||
] | ||
else: | ||
normalized_cookies = cookies | ||
|
||
should_issue_warning = is_old_style and any( | ||
cookie.get('domain', '') == '' | ||
for cookie in normalized_cookies | ||
) | ||
|
||
if should_issue_warning and not session.refactor_mode: | ||
warning = INSECURE_COOKIE_JAR_WARNING.format(hostname=session.bound_host, session_id=session.session_id) | ||
if not session.is_anonymous: | ||
warning += INSECURE_COOKIE_JAR_WARNING_FOR_NAMED_SESSIONS | ||
warning += INSECURE_COOKIE_SECURITY_LINK | ||
|
||
session.env.log_error( | ||
warning, | ||
level='warning' | ||
) | ||
|
||
return normalized_cookies | ||
|
||
|
||
def post_process( | ||
normalized_cookies: List[Dict[str, Any]], | ||
*, | ||
original_type: Type[Any] | ||
) -> Any: | ||
"""Convert the cookies to their original format for | ||
maximum compatibility.""" | ||
|
||
if issubclass(original_type, dict): | ||
return { | ||
cookie.pop('name'): cookie | ||
for cookie in normalized_cookies | ||
} | ||
else: | ||
return normalized_cookies | ||
|
||
|
||
def fix_layout(session: 'Session', hostname: str, args: argparse.Namespace) -> None: | ||
if not isinstance(session['cookies'], dict): | ||
return None | ||
|
||
session['cookies'] = [ | ||
{ | ||
'name': key, | ||
**value | ||
} | ||
for key, value in session['cookies'].items() | ||
] | ||
for cookie in session.cookies: | ||
if cookie.domain == '': | ||
if args.bind_cookies: | ||
cookie.domain = hostname | ||
else: | ||
cookie._rest['is_explicit_none'] = True |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters