Closed orangetw closed 5 years ago
u can email me at me@jongleberry.com
i'll add my email in the docs for reporting vulnerabilities
Hi, I have sent the vulnerability detail, please check it!
@orangetw @jonathanong it would be very interesting for everyone to know what exactly is the vulnerability about and what can get compromised and if we as koa users can do anything to protect ourselves..
@maticrivo I believe reporting to maintainers in advance is the right approach. Further details may be revealed after there's a fix.
@dotnil of course, I'm saying after they review it and fix/patch the vulnerability
any update you can share about this?
i've received two reports. one is not about koa itself but one of its middleware (which is this issue). another is about setting headers, which was vague because they didn't describe the actual attack. yeah, a client can set whatever headers they want...
thanks for the update @jonathanong
yeah, a client can set whatever headers they want...
@jonathanong I can't seem to find the comment, but vaguely recall semi-consensus around adding some form of app.trustHeaderfield()
API?
I would also add a possibility of spoofing an IP address when behind an Nginx server: https://github.com/koajs/koa/issues/599#issuecomment-239493311
Although, technically the documentation says, that it uses X-Forwarded-For
to determine the IP address, and an Nginx user should be aware, that X-Forwarded-For
is spoofable (to work with even more external proxies), but I don't think many people know that. ctx.ip
seems like a safe way to determine the IP address of the client, and most of the times it is, but not when behind Nginx.
I don't know, whose responsibility it is to educate about this potential vulnerability, so I just put it here.
Hi, I found some vulns, Is there any security related mail I can send my report?
P.S. I checked the website and GitHub, but I couldn't find where I can send the report :(