Ssrf fix

[SzymonDrosdzol]

PR Checklist:

• [DONE] I have run npm test locally and all tests are passing.
• [DONE] I have added/updated tests for any new behavior.
• [DONE] If this is a significant change, an issue has already been created where the problem / solution was discussed: [N/A, or add link to issue here]

PR Description

This pull request is a fix to CVE-2023-28155.

It introduces a new configuration option allowInsecureRedirects, turned off by default. The default configuration leaves library users protected from exploiting CVE-2023-28155. When the option gets turned on, the cross-protocol redirects will be allowed if library user decides it's safe and required in their case.

[phawxby]

@mikeal @jabrena @mmalecki @eiriksm @reconbot any possibility one of you is available to review and merge this? Our build process is currently broken because of audit failures. Thanks.

[tcherel]

Can we expect an updated request release with this fix soon? If yes, how soon? Sorry, just trying to figure out how fast we need to move out of request completely. Thanks.

[khitrenovich]

There were no non-doc/tools changes in the repo since 2018 and no commits at all for the last 3 years. I wouldn't expect any fix coming from here.

Our own dependency on request came from jsforce (which is not gonna get fixed soon, as it looks like), so we migrated to the still-maintained fork from Cypress via Yarn forced resolutions mechanism, and it worked like a charm.

---

Update: in case somebody missed that, request is deprecated since 2020.

[danilogco]

Yeah... It seems like it's not being maintained/updated anymore a long time.

[tcherel]

Thanks. Yes, I understand that request is not maintained any longer but since there was this PR created and it got reviewed and approved, I though that, may be, something was going to be released.

[suside]

@khitrenovich CVE-2023-28155 was reported on Mar 16, 2023 and the last commit in fork from Cypress is from Jan 11, 2023. It doesn't look like this has been fixed in their fork :raised_eyebrow:

[khitrenovich]

@khitrenovich CVE-2023-28155 was reported on Mar 16, 2023 and the last commit in fork from Cypress is from Jan 11, 2023. It doesn't look like this has been fixed in their fork 🤨

@suside You are right... Just opened an issue there, let's see how they respond.

[phawxby]

@SzymonDrosdzol it might be worth you opening the same CVE against the cypress fork too

[legobeat]

I have made two PRs on cypress:

• https://github.com/cypress-io/request/pull/28 : Port of this plus enabling allowRedirects in regressing tests
• https://github.com/cypress-io/request/pull/30 : Similar but retains default behavior (non-breaking, non-safe-by-default)

It seems they have an extended test suite handling more complex redirects so if anyone feels up for extending my PRs addressing those cases to get them up to standard, feel free.

[karanr1990]

is there any alternate library of sforcejs where we do not have dependency on request library ?

[jeremieSTC]

Can we expect an updated request release with this fix soon?

If yes, how soon?

Sorry, just trying to figure out how fast we need to move out of request completely.

Thanks.

It would be great if a new version could be released including the fix. I see there was a new version a couple of days ago with the new version of xml2js so I have hope.

[legobeat]

@jeremieSTC A couple of years, you mean? See above for alternatives - request itself is unmaintained and I wouldn't be hoping to see further updates.

[reconbot]

Per the readme and npm deprecation warning.

As of Feb 11th 2020, request is fully deprecated. No new changes are expected to land. In fact, none have landed for some time.

Please use alternative libraries.