Open Blaisorblade opened 8 years ago
Certainly seems like something worth addressing. I don't see how to exploit it either, since this isn't a browser POST, there are no cookies.
There are a lot of ways that building Haskell code is insecure. For example, TemplateHaskell code can basically issue any HTTP request it wants to (or do anything else on your system), so security issues in stack.yaml, while unfortunate, probably don't make much difference to overall security.
Indeed, so we could possibly leave this in as just a somewhat odd feature.
Somewhat related: my thoughts on using a custom URL type.
While reviewing #2412, I double-checked that the URL-parser
parseRequest
inFromJSON PackageLocation
did the right thing. But it seems it doesn't quite do that. It allows specifying a method:parseRequest "POST http://httpbin.org/post"
[1]. Potentially worse, I can ship somebody a stack.yaml that will trigger POST requests upon install. I don't see how to actually exploit this, but someone might. Switching to another URI parser should prevent this, and should be easy since the parsed URI is thrown away. One should probably also review the parsing that is used to actually access the URI though.[1] https://hackage.haskell.org/package/http-client-0.5.0/docs/Network-HTTP-Client.html#v:parseRequest
[2] http://hackage.haskell.org/package/network-uri-2.6.1.0/docs/Network-URI.html#v:parseURI