mgsloan
commented
8 years ago Certainly seems like something worth addressing. I don't see how to exploit it either, since this isn't a browser POST, there are no cookies.
Open Blaisorblade opened 8 years ago
mgsloan
commented
8 years ago Certainly seems like something worth addressing. I don't see how to exploit it either, since this isn't a browser POST, there are no cookies.
borsboom
commented
8 years ago There are a lot of ways that building Haskell code is insecure. For example, TemplateHaskell code can basically issue any HTTP request it wants to (or do anything else on your system), so security issues in stack.yaml, while unfortunate, probably don't make much difference to overall security.
mgsloan
commented
8 years ago Indeed, so we could possibly leave this in as just a somewhat odd feature.
sjakobi
commented
8 years ago Somewhat related: my thoughts on using a custom URL type.
While reviewing #2412, I double-checked that the URL-parser
parseRequestinFromJSON PackageLocationdid the right thing. But it seems it doesn't quite do that. It allows specifying a method:parseRequest "POST http://httpbin.org/post"[1]. Potentially worse, I can ship somebody a stack.yaml that will trigger POST requests upon install. I don't see how to actually exploit this, but someone might. Switching to another URI parser should prevent this, and should be easy since the parsed URI is thrown away. One should probably also review the parsing that is used to actually access the URI though.[1] https://hackage.haskell.org/package/http-client-0.5.0/docs/Network-HTTP-Client.html#v:parseRequest
[2] http://hackage.haskell.org/package/network-uri-2.6.1.0/docs/Network-URI.html#v:parseURI