New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix minor DoS on 3.1.x version #170

Closed
wants to merge 2 commits into
base: master
from

Conversation

Projects
None yet
4 participants
@remy

remy commented Jan 20, 2016

Firstly: I couldn't seem to create this PR without it including 66dd8f9 - I think it's because it doesn't exist on master, nor any other active branch, so I think this PR might need some tweaking to make it into a release.

This PR, which is really just this commit fixes the DoS attack that was merged into 4.x code, but applies it to the 3.x code.

This seemed important specifically because request relies on hawk@3.x and have said they're not ready to drop node < 4 support (which would come via hawk@4).

So this patch will offer a 3.1.x version that has the vuln fixed, which should allow request to update their dependencies.

This particular patch was generated for Snyk users, but we'd rather see users be able to do updates over patches in their remediation.

I hope this patch will be considered and merge (for release to 3.1.3). Thanks!

hueniverse and others added some commits Nov 19, 2015

Fix minor DoS attack on long headers or uris.
Related to #168

Supports the fix on the 3.x branch allowing for https://github.com/request/request to pick up the fix in 3.1.x

Fixes request/request#2020
@jakubpawlowicz

This comment has been minimized.

Show comment
Hide comment
@jakubpawlowicz

jakubpawlowicz Jan 20, 2016

Thanks @remy, exactly the issue we're having!

jakubpawlowicz commented Jan 20, 2016

Thanks @remy, exactly the issue we're having!

@hueniverse

This comment has been minimized.

Show comment
Hide comment
@hueniverse

hueniverse Jan 20, 2016

Owner

Use https://github.com/hueniverse/hawk/tree/v3.1.x instead of master

Also, note that this doesn't affect any request user. It could affect people using hawk on the server to protect services but not anyone using it to make requests.

Owner

hueniverse commented Jan 20, 2016

Use https://github.com/hueniverse/hawk/tree/v3.1.x instead of master

Also, note that this doesn't affect any request user. It could affect people using hawk on the server to protect services but not anyone using it to make requests.

@remy

This comment has been minimized.

Show comment
Hide comment
@remy

remy Jan 20, 2016

When making the PR, github was only listing master as the merge target
(which I appreciate isn't where you want the code to go). Am I missing
something?

On Wed, 20 Jan 2016 17:46 Eran Hammer notifications@github.com wrote:

Use https://github.com/hueniverse/hawk/tree/v3.1.x instead of master

Also, note that this doesn't affect any request user. It could affect
people using hawk on the server to protect services but not anyone using it
to make requests.


Reply to this email directly or view it on GitHub
#170 (comment).

remy commented Jan 20, 2016

When making the PR, github was only listing master as the merge target
(which I appreciate isn't where you want the code to go). Am I missing
something?

On Wed, 20 Jan 2016 17:46 Eran Hammer notifications@github.com wrote:

Use https://github.com/hueniverse/hawk/tree/v3.1.x instead of master

Also, note that this doesn't affect any request user. It could affect
people using hawk on the server to protect services but not anyone using it
to make requests.


Reply to this email directly or view it on GitHub
#170 (comment).

@landau

This comment has been minimized.

Show comment
Hide comment
@landau

landau Jan 20, 2016

I need this on server. :) +1

landau commented Jan 20, 2016

I need this on server. :) +1

@remy

This comment has been minimized.

Show comment
Hide comment
@remy

remy Jan 20, 2016

@hueniverse I've created #171 against the new tree/v3.1.x branch and thaat's correctly giving me a single commit. I'll close this PR in favour of that new PR.

remy commented Jan 20, 2016

@hueniverse I've created #171 against the new tree/v3.1.x branch and thaat's correctly giving me a single commit. I'll close this PR in favour of that new PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment