Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GET requests are mutating the shared headers causing parameters to leak into subsequent requests #344

Closed
dnnyjns opened this issue Jun 17, 2022 · 1 comment · Fixed by #388
Closed

GET requests are mutating the shared headers causing parameters to leak into subsequent requests #344

dnnyjns opened this issue Jun 17, 2022 · 1 comment · Fixed by #388
Labels
bug This points to a verified bug in the code

Comments

@dnnyjns
Copy link

dnnyjns commented Jun 17, 2022

Describe the problem

GET requests are mutating the shared headers causing parameters to leak into subsequent requests.
Relevant code where the headers are being mutated.

ruby-auth0/lib/auth0/mixins/httpproxy.rb

Lines 75 to 76 in afc87a0

# Mutate the headers property to add parameters.
add_headers({params: body})

Is there any reason why headers.merge(params: body) would not be used instead?

What was the expected behavior?

I would expect parameters from a GET request to not leak into subsequent POST/PATCH requests.

Reproduction

RestClient.log = 'stdout'

client = Auth0Client.new(
  client_id: AUTH0_CONFIG['client_id'],
  client_secret: AUTH0_CONFIG['client_secret'],
  api_identifier: AUTH0_CONFIG['api_identifier'],
  domain: AUTH0_CONFIG['domain'],
  api_version: 2,
  timeout: 15 
)

client.users_by_email("this_email_leaks_into_headers@example.com")
# RestClient.get "https://****/api/v2/users-by-email?email=this_email_leaks_into_headers%40example.com", "Accept"=>"*/*", "Auth0-Client"=>"****", "Authorization"=>"Bearer ****", "Content-Type"=>"application/json"
# => 200 OK | application/json 2 bytes, 0.68s

client.create_user("Username-Password-Authentication", { email: "email@example.com" })
# RestClient.post "https://****/api/v2/users?email=this_email_leaks_into_headers%40example.com", "{\"email\":\"email@example.com\",\"connection\":\"Username-Password-Authentication\"}", "Accept"=>"*/*", "Auth0-Client"=>"****", "Authorization"=>"Bearer ****", "Content-Length"=>"85", "Content-Type"=>"application/json"
# => 400 BadRequest | application/json 104 bytes, 0.63s

Environment

  • Version of this library used: v5.8.0
  • Which framework are you using, if applicable: Rails
  • Other modules/plugins/libraries that might be involved:
  • Any other relevant information you think would be useful: Relevant code

    ruby-auth0/lib/auth0/mixins/httpproxy.rb

    Lines 75 to 76 in afc87a0

    # Mutate the headers property to add parameters.
    add_headers({params: body})
@stevehobbsdev stevehobbsdev added the bug This points to a verified bug in the code label Jun 21, 2022
@stevehobbsdev
Copy link
Contributor

Thanks for raising. I think expecting these values to not bleed into other requests is totally reasonable. I think those body headers could just be merged without merging them into the instance-level headers, but I worry that some might rely on this bug being there. I think we'll have the same problem as deletes as well.

Not ideal but, for now, you're able to clear the offending headers between requests using:

client.headers.delete :params

@stevehobbsdev stevehobbsdev mentioned this issue Oct 5, 2022
Merged
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug This points to a verified bug in the code
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: stop :get, :delete parameters from bleeding into subsequent requests auth0/ruby-auth0
2 participants
@stevehobbsdev @dnnyjns