weird headers getting passed through

[mandric]

There are two headers, uri and statusCode which are not valid http that are being returned from the httpAgent code see lib/nano.js line 195. This could lead to some sensitive information being leaked to the client if you're just passing headers through from CouchDB. Let me know if you think this is a real problem, I'd be happy to try to come up with a valid patch.

Here's an example:

$ curl -I http://localhost:3333
HTTP/1.1 200 OK
X-Powered-By: Express
etag: "2-8f443270fec4fb34bbc4ebca93a565d3"
date: Tue, 09 Feb 2016 05:24:29 GMT
Content-Type: application/json; charset=utf-8
cache-control: must-revalidate
statusCode: 200
uri: http://admin:secret@localhost:5984/test/foo
Content-Length: 713
Connection: keep-alive

var express = require('express'), 
    db = require('nano')('http://admin:secret@localhost:5984/test'), 
    app = module.exports = express();

app.get('/', function(request,response) {
  db.get('foo', function (error, body, headers) {
    for (var k in headers) {
      response.header(k, headers[k]);
    }
    if (error) {
      return response.status(error.statusCode).send(error.reason);
    }
    response.send(body, 200);
  });
});
app.listen(3333);

[mandric]

Just checking back here, any comments? Do you agree this is a bug/potential security issue?

[carlosduclos]

This repository has been merged into apache/couchdb-nano, please continue the discussion here