Details
-
Bug
-
Status: Closed
-
Critical
-
Resolution: Fixed
-
0.14.0, 0.15.0, 0.16.0, 0.17.0, 0.18.0, 0.19.0
-
This repros in all environments using the nodejs library.
Description
The header transport in `nodejs` has `TBufferTransport` and `TFramedTransport` improper extending the `THeaderTransport` prototype. The intention was to use `THeaderTransport` as an abstract base class and have concrete implementations in the other transports. In reality, every instance of `TBufferTransport` and `TFramedTransport` actually share a single instance of `THeaderTransport` being used as the prototype, which means that they all share one object that stores headers that every instance simultaneously mutates.
This leaks headers on both the read and the write paths:
- You can write incorrect headers to a transport that has written headers but hasn't flushed yet. This is especially troubling if the headers are used for auth, because you're able to mix up requests and auth as the wrong entity. (i.e., if two requests set an `Auth` header).
- You can read headers from other requests. They only clobber each other if they have the same name, but the union of all seen headers is returned in getReadHeaders.
The fix is straightforward but urgent: the header functionality is completely broken and a security risk to use in production.
Attachments
Issue Links
- links to