search

koajs / koa

Expressive middleware for node.js using ES2017 async functions
https://koajs.com
MIT License
35.2k stars 3.23k forks source link

Where can I report vulnerability details? #1128

Closed orangetw closed 5 years ago

orangetw commented 6 years ago

Hi, I found some vulns, Is there any security related mail I can send my report?

P.S. I checked the website and GitHub, but I couldn't find where I can send the report :(

jonathanong commented 6 years ago

u can email me at me@jongleberry.com

jonathanong commented 6 years ago

i'll add my email in the docs for reporting vulnerabilities

orangetw commented 6 years ago

Hi, I have sent the vulnerability detail, please check it!

maticrivo commented 6 years ago

@orangetw @jonathanong it would be very interesting for everyone to know what exactly is the vulnerability about and what can get compromised and if we as koa users can do anything to protect ourselves..

cyjake commented 6 years ago

@maticrivo I believe reporting to maintainers in advance is the right approach. Further details may be revealed after there's a fix.

maticrivo commented 6 years ago

@dotnil of course, I'm saying after they review it and fix/patch the vulnerability

maticrivo commented 6 years ago

any update you can share about this?

jonathanong commented 6 years ago

i've received two reports. one is not about koa itself but one of its middleware (which is this issue). another is about setting headers, which was vague because they didn't describe the actual attack. yeah, a client can set whatever headers they want...

maticrivo commented 6 years ago

thanks for the update @jonathanong

fl0w commented 6 years ago

yeah, a client can set whatever headers they want...

@jonathanong I can't seem to find the comment, but vaguely recall semi-consensus around adding some form of app.trustHeaderfield() API?

pepkin88 commented 6 years ago

I would also add a possibility of spoofing an IP address when behind an Nginx server: https://github.com/koajs/koa/issues/599#issuecomment-239493311

Although, technically the documentation says, that it uses X-Forwarded-For to determine the IP address, and an Nginx user should be aware, that X-Forwarded-For is spoofable (to work with even more external proxies), but I don't think many people know that. ctx.ip seems like a safe way to determine the IP address of the client, and most of the times it is, but not when behind Nginx. I don't know, whose responsibility it is to educate about this potential vulnerability, so I just put it here.