Open parameter-pollution opened 1 year ago
ghost
commented
1 year ago Thank you for contacting us! Any issue or feedback from you is quite important to us. We will do our best to fully respond to your issue as soon as possible. Sometimes additional investigations may be needed, we will usually get back to you within 2 days by adding comments to this issue. Please stay tuned.
xiaolang124
commented
1 year ago The Teams Toolkit uses Axios to handle some HTTP requests. I have tried to set up a proxy on my machine and use Axios to send requests, but I have found that the proxy did not take effect. I'm not sure if this is a problem with Axios or how the code is being used. I will investigate further.
xiaolang124
commented
1 year ago I have found a related issue about this in Axios github(https://github.com/axios/axios/issues/4531). We may need to update axios to the latest version or do some work to fix this.
Describe the bug I was trying to create a MS Teams app with the "Teams Toolkit" extension in VS Code but our company network doesn't allow direct access to the internet, only via a HTTP Proxy. This proxy is configured in the windows settings and other programs are automatically using it correctly.
I have now managed to get it to work in this corporate network with these steps:
But initially I couldn't get it to work. The problem was that I had 2 environment variables set in windows: HTTP_PROXY HTTPS_PROXY
They were set so npm worked with the proxy. But when they are set the following happens: After signing in with "Sign in to Microsoft 365" (which works) it shows "Sideloading check failed". I used wireshark to sniff the network activity and figured out what is going on: When the sideloading check is running, a TCP connection to the configured proxy was created and over this TCP connection it sent:
This is not how a request to a proxy to an HTTPS site is supposed to be established via a proxy. A "CONNECT host:port" has to be used. So this is correctly rejected by the proxy. And this contains my auth token. It's sent via cleartext in the headers to the proxy. When a standard "CONNECT" request is used then the proxy relays the TCP packets and a normal TLS handshake can be done => no 3rd party can see the auth token.
To Reproduce Steps to reproduce the behavior:
If wireshark is capturing while doing this, the clear text request can be seen.
Expected behavior A CONNECT request should have been sent and then a TLS handshake done over the resulting relayed connection. So the same behavior as if the environment variables were not set.
VS Code Extension Information (please complete the following information):
CLI Information (please complete the following information):
Additional context I am not claiming that this is a big security issue, but auth tokens should not leave my machine via unencrypted connections. It would be great if it also worked correctly when the HTTP_PROXY and HTTPS_PROXY environment variables are set. Because there is other software that needs it to be set, but as a workaround those could be unset and npm's proxy setting set manually as mentioned above.