chore(deps): update dependency refit to v8 [security]

[renovate[bot]]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
Refit	7.2.1 -> 8.0.0

GitHub Vulnerability Alerts

CVE-2024-51501

Summary

The various header-related Refit attributes (Header, HeaderCollection and Authorize) are vulnerable to CRLF injection.

Details

The way HTTP headers are added to a request is via the HttpHeaders.TryAddWithoutValidation method: https://github.com/reactiveui/refit/blob/258a771f44417c6e48e103ac921fe4786f3c2a1e/Refit/RequestBuilderImplementation.cs#L1328 This method does not check for CRLF characters in the header value.

This means that any headers added to a refit request are vulnerable to CRLF-injection. In general, CRLF-injection into a HTTP header (when using HTTP/1.1) means that one can inject additional HTTP headers or smuggle whole HTTP requests.

PoC

The below example code creates a console app that takes one command line variable (a bearer token) and then makes a request to some status page with the provided token inserted in the "Authorization" header:

using Refit;

internal class Program
{
    private static void Main(string[] args)
    {
        // Usage: dotnet run <bearer token> 
        string token = args[0];
        var service = RestService.For<IStatusApi>("http://insert.some.site.here");
        string response = service.GetStatus(token).Result;
        Console.WriteLine($"Response: {response}");
    }

    public interface IStatusApi
    {
        [Get("/status")]
        Task<string> GetStatus([Authorize("Bearer")] string token);
    }
}

This application is now vulnerable to CRLF-injection, and can thus be abused to for example perform request splitting and thus server side request forgery (SSRF):

anonymous@ubuntu-sofia-672448:~$ dotnet Refit-cli.dll $'test\r\nUser-Agent: injected header!\r\n\r\nGET /smuggled HTTP/1.1\r\nHost: insert.some.site.here'
Response: <html></html>

The application intends to send a single request of the form:

GET /status HTTP/1.1
Host: insert.some.site.here
Authorization: Bearer <bearer token>

But as the application is vulnerable to CRLF injection the above command will instead result in the following two requests being sent:

GET /status HTTP/1.1
Host: insert.some.site.here
Authorization: Bearer test
User-Agent: injected header!

and

GET /smuggled HTTP/1.1
Host: insert.some.site.here

This can be confirmed by checking the access logs on the server where these commands were run (with insert.some.site.here pointing to localhost):

anonymous@ubuntu-sofia-672448:~$ sudo tail /var/log/apache2/access.log
127.0.0.1 - - [29/Aug/2024:12:17:34 +0000] "GET /status HTTP/1.1" 200 240 "-" "injected header!"
127.0.0.1 - - [29/Aug/2024:12:17:34 +0000] "GET /smuggled HTTP/1.1" 404 436 "-" "-"

Impact

If an application using the Refit library passes a user-controllable value through to a header, then that application becomes vulnerable to CRLF-injection. This is not necessarily a security issue for a command line application like the one above, but if such code were present in a web application then it becomes vulnerable to request splitting (as shown in the PoC) and thus Server Side Request Forgery.

Strictly speaking this is a potential vulnerability in applications using Refit, not in Refit itself, but I would argue that at the very least there needs to be a warning about this behaviour in the Refit documentation.

---

Release Notes

reactiveui/refit (Refit)

### [`v8.0.0`](https://redirect.github.com/reactiveui/refit/releases/tag/8.0.0) [Compare Source](https://redirect.github.com/reactiveui/refit/compare/7.2.1...8.0.0) ##### Features - [`ebc7954`](https://redirect.github.com/reactiveui/refit/commit/ebc79549f737d41ce7469b8cbe4d76ab21d69f1a) feat: add parameter substitution tests ([#​1896](https://redirect.github.com/reactiveui/refit/issues/1896)) [@​ChrisPulman](https://redirect.github.com/ChrisPulman) [@​TimothyMakkison](https://redirect.github.com/TimothyMakkison) - [`0ba7394`](https://redirect.github.com/reactiveui/refit/commit/0ba73941c0f814b97e3d1e9dd73894748ee1fc3b) feat: add `UniqueNameBuilder` ([#​1894](https://redirect.github.com/reactiveui/refit/issues/1894)) [@​TimothyMakkison](https://redirect.github.com/TimothyMakkison) - [`c1d7aa1`](https://redirect.github.com/reactiveui/refit/commit/c1d7aa1a5a61e3e271709a01316b4390c1ac1965) feat: add more incremental tests ([#​1871](https://redirect.github.com/reactiveui/refit/issues/1871)) [@​TimothyMakkison](https://redirect.github.com/TimothyMakkison) - [`606a6c6`](https://redirect.github.com/reactiveui/refit/commit/606a6c6196e07486d5c61032d4220eccd0f269f3) feat: added nullable and parameter tests ([#​1863](https://redirect.github.com/reactiveui/refit/issues/1863)) [@​ChrisPulman](https://redirect.github.com/ChrisPulman) [@​TimothyMakkison](https://redirect.github.com/TimothyMakkison) - [`faa1f68`](https://redirect.github.com/reactiveui/refit/commit/faa1f68a64decc0bd8902a634a16595bb554cd34) feat: added source gen tests for generic constraints ([#​1859](https://redirect.github.com/reactiveui/refit/issues/1859)) [@​TimothyMakkison](https://redirect.github.com/TimothyMakkison) - [`7e53d81`](https://redirect.github.com/reactiveui/refit/commit/7e53d8115a6e13d9ac3c351fc42551266afcf4ec) feat: fix invalid `unmanaged struct` constraint generation ([#​1861](https://redirect.github.com/reactiveui/refit/issues/1861)) [@​ChrisPulman](https://redirect.github.com/ChrisPulman) [@​TimothyMakkison](https://redirect.github.com/TimothyMakkison) - [`93b4ee2`](https://redirect.github.com/reactiveui/refit/commit/93b4ee2ce55e2fc5373dac5e77d154ada2d0dbdb) feat: add non refit method raises diagnostic test ([#​1860](https://redirect.github.com/reactiveui/refit/issues/1860)) [@​ChrisPulman](https://redirect.github.com/ChrisPulman) [@​TimothyMakkison](https://redirect.github.com/TimothyMakkison) - [`d03121d`](https://redirect.github.com/reactiveui/refit/commit/d03121dfe2f9397ed5c60a986bb5cf9b7ca0d569) feat: add `IDisposable` test ([#​1855](https://redirect.github.com/reactiveui/refit/issues/1855)) [@​TimothyMakkison](https://redirect.github.com/TimothyMakkison) - [`6de1dbb`](https://redirect.github.com/reactiveui/refit/commit/6de1dbb90b052fcac63643b33637491b359ca3a3) feat: change `IPerformanceService` to return `HttpResponseMessage` ([#​1893](https://redirect.github.com/reactiveui/refit/issues/1893)) [@​TimothyMakkison](https://redirect.github.com/TimothyMakkison) - [`27b436c`](https://redirect.github.com/reactiveui/refit/commit/27b436c59e4ee886215caccfd4fb5c77c01a595d) feat: added larger benchmark ([#​1848](https://redirect.github.com/reactiveui/refit/issues/1848)) [@​ChrisPulman](https://redirect.github.com/ChrisPulman) [@​TimothyMakkison](https://redirect.github.com/TimothyMakkison) - [`7ea950a`](https://redirect.github.com/reactiveui/refit/commit/7ea950a96b580951e407d947db6936716015d226) feat: add `ReflectionTests` for `IUrlParameterFormatter` ([#​1888](https://redirect.github.com/reactiveui/refit/issues/1888)) [@​TimothyMakkison](https://redirect.github.com/TimothyMakkison) - [`a831dac`](https://redirect.github.com/reactiveui/refit/commit/a831dacaa45acf316df4c0c0f2d3d875d3bdff22) feat: add `ShouldNotEmitFiles` test ([#​1843](https://redirect.github.com/reactiveui/refit/issues/1843)) [@​TimothyMakkison](https://redirect.github.com/TimothyMakkison) - [`56d7bcd`](https://redirect.github.com/reactiveui/refit/commit/56d7bcde9bded1197204edf09c918bc2bc7004d1) feat: generate code for derived non refit methods and update tests. ([#​1875](https://redirect.github.com/reactiveui/refit/issues/1875)) [@​TimothyMakkison](https://redirect.github.com/TimothyMakkison) - [`f2ab216`](https://redirect.github.com/reactiveui/refit/commit/f2ab2163a68df564531f018587ee23fcb5e8fc21) feat: add incremental generator tests ([#​1829](https://redirect.github.com/reactiveui/refit/issues/1829)) [@​ChrisPulman](https://redirect.github.com/ChrisPulman) [@​TimothyMakkison](https://redirect.github.com/TimothyMakkison) - [`a01cb84`](https://redirect.github.com/reactiveui/refit/commit/a01cb84549007750e57c9e4328e1f43781dfa480) feat: add `RestServiceExceptions` ([#​1886](https://redirect.github.com/reactiveui/refit/issues/1886)) [@​TimothyMakkison](https://redirect.github.com/TimothyMakkison) - [`396c2bf`](https://redirect.github.com/reactiveui/refit/commit/396c2bf488419c224258aae1304a814264b1d47e) feat: added default interface method tests ([#​1881](https://redirect.github.com/reactiveui/refit/issues/1881)) [@​TimothyMakkison](https://redirect.github.com/TimothyMakkison) - [`c72fa3a`](https://redirect.github.com/reactiveui/refit/commit/c72fa3ae46547d4327721a4c3f76702c49526601) feat: upgrade roslyn 4.0 to 4.1 ([#​1828](https://redirect.github.com/reactiveui/refit/issues/1828)) [@​ChrisPulman](https://redirect.github.com/ChrisPulman) [@​TimothyMakkison](https://redirect.github.com/TimothyMakkison) - [`b32c305`](https://redirect.github.com/reactiveui/refit/commit/b32c3059ad3614ddc7876eeb2f5b09d3a844dab2) feat: added derived type argument tests ([#​1883](https://redirect.github.com/reactiveui/refit/issues/1883)) [@​TimothyMakkison](https://redirect.github.com/TimothyMakkison) - [`26cfb28`](https://redirect.github.com/reactiveui/refit/commit/26cfb288bf73845d39a27eb759bca76d3c87d343) feat: add incremental generator ([#​1864](https://redirect.github.com/reactiveui/refit/issues/1864)) [@​TimothyMakkison](https://redirect.github.com/TimothyMakkison) ##### Refactoring - [`1869ca6`](https://redirect.github.com/reactiveui/refit/commit/1869ca6b94d84a7c8ec70ab9fd300c13f92e59d3) refactor: move diagnostics to dedicated class ([#​1842](https://redirect.github.com/reactiveui/refit/issues/1842)) [@​ChrisPulman](https://redirect.github.com/ChrisPulman) [@​TimothyMakkison](https://redirect.github.com/TimothyMakkison) ##### Fixes - [`84d226f`](https://redirect.github.com/reactiveui/refit/commit/84d226fea32296487ab8fe61431436c5ab7dfb75) Fix for unused reference System.Net.Http ([#​1830](https://redirect.github.com/reactiveui/refit/issues/1830)) [@​ChrisPulman](https://redirect.github.com/ChrisPulman) - [`040ecc6`](https://redirect.github.com/reactiveui/refit/commit/040ecc6857337b419eb83d08a5c2929047eea20e) Fix some typos in the codebase ([#​1852](https://redirect.github.com/reactiveui/refit/issues/1852)) [@​ChrisPulman](https://redirect.github.com/ChrisPulman) [@​mithileshz](https://redirect.github.com/mithileshz) - [`483b1d8`](https://redirect.github.com/reactiveui/refit/commit/483b1d8df18098f137ca0eca056b7e9ec19f70dd) Fix for CRLF injection vulnerability ([#​1834](https://redirect.github.com/reactiveui/refit/issues/1834)) [@​ChrisPulman](https://redirect.github.com/ChrisPulman) ##### General Changes - [`057ba9e`](https://redirect.github.com/reactiveui/refit/commit/057ba9e648d09d1990ef832575d087ca45044e94) Housekeeping fix some of the code analyser warnings ([#​1869](https://redirect.github.com/reactiveui/refit/issues/1869)) [@​ChrisPulman](https://redirect.github.com/ChrisPulman) - [`b6f8eeb`](https://redirect.github.com/reactiveui/refit/commit/b6f8eebe6beb1d1c2b65850bc9b99d203c99c3e0) chore: added generic constrained method tests ([#​1868](https://redirect.github.com/reactiveui/refit/issues/1868)) [@​TimothyMakkison](https://redirect.github.com/TimothyMakkison) - [`f7f9c00`](https://redirect.github.com/reactiveui/refit/commit/f7f9c00bf47d38e41fa706e5ec8a9086a6e30596) Housekeeping fix some of the code analyser warnings ([#​1866](https://redirect.github.com/reactiveui/refit/issues/1866)) [@​ChrisPulman](https://redirect.github.com/ChrisPulman) - [`418092e`](https://redirect.github.com/reactiveui/refit/commit/418092ec6c65cc9e28106d7219a26c33b5b7f8ca) Housekeeping Update Version for release [@​ChrisPulman](https://redirect.github.com/ChrisPulman) - [`9b19657`](https://redirect.github.com/reactiveui/refit/commit/9b196576837cfc71db2e91a4ba685e27ea49fbc4) Housekeeping Fix API Tests ([#​1865](https://redirect.github.com/reactiveui/refit/issues/1865)) [@​ChrisPulman](https://redirect.github.com/ChrisPulman) - [`2c2e596`](https://redirect.github.com/reactiveui/refit/commit/2c2e596948a99fae066c111c415857959df4e8f1) Housekeeping Update build ([#​1835](https://redirect.github.com/reactiveui/refit/issues/1835)) [@​ChrisPulman](https://redirect.github.com/ChrisPulman) - [`30664b6`](https://redirect.github.com/reactiveui/refit/commit/30664b6bdbba8c4dc750fe7c600cc8863d8e7dfa) chore: update to `Microsoft.CodeAnalysis.CSharp` to `4.1.0` ([#​1857](https://redirect.github.com/reactiveui/refit/issues/1857)) [@​ChrisPulman](https://redirect.github.com/ChrisPulman) [@​TimothyMakkison](https://redirect.github.com/TimothyMakkison) - [`6cb59cf`](https://redirect.github.com/reactiveui/refit/commit/6cb59cf1b0e3d866d38ce5edfcaae810ccdca7cf) chore: target correct StubGenerator ([#​1847](https://redirect.github.com/reactiveui/refit/issues/1847)) [@​ChrisPulman](https://redirect.github.com/ChrisPulman) [@​TimothyMakkison](https://redirect.github.com/TimothyMakkison) - [`2978e37`](https://redirect.github.com/reactiveui/refit/commit/2978e3725c64eb79d253f17ff97c4541b84e714e) Update release.yml ([#​1839](https://redirect.github.com/reactiveui/refit/issues/1839)) [@​ChrisPulman](https://redirect.github.com/ChrisPulman) - [`5df30d9`](https://redirect.github.com/reactiveui/refit/commit/5df30d9df9ca45e185f9d5ec5eb3545c57bf7dc2) chore: upgrade `Verify.SourceGenerators` and update tests ([#​1874](https://redirect.github.com/reactiveui/refit/issues/1874)) [@​ChrisPulman](https://redirect.github.com/ChrisPulman) [@​TimothyMakkison](https://redirect.github.com/TimothyMakkison) ##### Dependencies - [`8861dec`](https://redirect.github.com/reactiveui/refit/commit/8861dec667ed743be3cd1fe0039048d16d6e33f4) chore(deps): update dependency microsoft.codeanalysis.csharp.workspaces to 4.12.0-3.24476.2 ([#​1849](https://redirect.github.com/reactiveui/refit/issues/1849)) [@​renovate](https://redirect.github.com/renovate)\[bot] - [`2d2169c`](https://redirect.github.com/reactiveui/refit/commit/2d2169cab3771da04335f648c656d3b654684fbd) chore(deps): update dependency verify.xunit to v27 ([#​1890](https://redirect.github.com/reactiveui/refit/issues/1890)) [@​ChrisPulman](https://redirect.github.com/ChrisPulman) [@​renovate](https://redirect.github.com/renovate)\[bot] - [`440e236`](https://redirect.github.com/reactiveui/refit/commit/440e2365232a77a0fdeda7703f3b1fed04651ba7) chore(deps): update dependency xunit to 2.9.1 ([#​1858](https://redirect.github.com/reactiveui/refit/issues/1858)) [@​renovate](https://redirect.github.com/renovate)\[bot] - [`1183b0d`](https://redirect.github.com/reactiveui/refit/commit/1183b0de698a196a22340bb1455f9d2d85565429) chore(deps): update dependency verify.xunit to 26.4.2 ([#​1827](https://redirect.github.com/reactiveui/refit/issues/1827)) [@​renovate](https://redirect.github.com/renovate)\[bot] - [`8b915fa`](https://redirect.github.com/reactiveui/refit/commit/8b915faf4788c7e71e5004f8085746ad35a173c9) chore(deps): update dependency verify.xunit to 26.6.0 ([#​1854](https://redirect.github.com/reactiveui/refit/issues/1854)) [@​renovate](https://redirect.github.com/renovate)\[bot] - [`58992b0`](https://redirect.github.com/reactiveui/refit/commit/58992b0242a07c542a82432122fb68a16e7b7678) chore(deps): update dotnet monorepo ([#​1836](https://redirect.github.com/reactiveui/refit/issues/1836)) [@​renovate](https://redirect.github.com/renovate)\[bot] - [`ef9b830`](https://redirect.github.com/reactiveui/refit/commit/ef9b8305c35eb0644e31c33e43a7d0acaec81eec) chore(deps): update dependency system.text.json to 8.0.5 \[security] ([#​1873](https://redirect.github.com/reactiveui/refit/issues/1873)) [@​renovate](https://redirect.github.com/renovate)\[bot] - [`48d1256`](https://redirect.github.com/reactiveui/refit/commit/48d12564eae1855633c94680ebea5b193b1ea8b7) chore(deps): update dependency xunit to 2.9.2 ([#​1870](https://redirect.github.com/reactiveui/refit/issues/1870)) [@​renovate](https://redirect.github.com/renovate)\[bot] - [`9619841`](https://redirect.github.com/reactiveui/refit/commit/961984118885db34c39d8b4eb2a326786c560e71) chore(deps): update dependency nerdbank.gitversioning to 3.6.146 ([#​1895](https://redirect.github.com/reactiveui/refit/issues/1895)) [@​renovate](https://redirect.github.com/renovate)\[bot] - [`10bd63a`](https://redirect.github.com/reactiveui/refit/commit/10bd63a6fe96725d010c7f2e33f09b5a774b39e0) chore(deps): update dependency serilog to 4.0.2 ([#​1872](https://redirect.github.com/reactiveui/refit/issues/1872)) [@​renovate](https://redirect.github.com/renovate)\[bot] - [`f7feafc`](https://redirect.github.com/reactiveui/refit/commit/f7feafc19cf3a41dc4a077559239e83eb31f652e) chore(deps): update dependency verify.diffplex to 3.1.2 ([#​1887](https://redirect.github.com/reactiveui/refit/issues/1887)) [@​renovate](https://redirect.github.com/renovate)\[bot] - [`9c4dbc3`](https://redirect.github.com/reactiveui/refit/commit/9c4dbc3ce3312bb7ec65305426c2e7f2e3ecfc7f) chore(deps): update dependency verify.sourcegenerators to 2.4.2 ([#​1833](https://redirect.github.com/reactiveui/refit/issues/1833)) [@​renovate](https://redirect.github.com/renovate)\[bot] - [`704ee4c`](https://redirect.github.com/reactiveui/refit/commit/704ee4c1b409860a93b1a43e2a113a0823e2b0e7) chore(deps): update dependency microsoft.codeanalysis.csharp.workspaces to 4.12.0-3.24463.9 ([#​1838](https://redirect.github.com/reactiveui/refit/issues/1838)) [@​renovate](https://redirect.github.com/renovate)\[bot] - [`2b8fca6`](https://redirect.github.com/reactiveui/refit/commit/2b8fca65e4c8bfeae93657551c12f6e1ba77be4d) chore(deps): update dependency microsoft.codeanalysis.csharp.workspaces to 4.12.0-3.24466.4 ([#​1845](https://redirect.github.com/reactiveui/refit/issues/1845)) [@​ChrisPulman](https://redirect.github.com/ChrisPulman) [@​renovate](https://redirect.github.com/renovate)\[bot] - [`fd0dd65`](https://redirect.github.com/reactiveui/refit/commit/fd0dd6508a5ea87f7436018e7ec16a7922216eca) chore(deps): update dependency verify.xunit to 26.4.5 ([#​1841](https://redirect.github.com/reactiveui/refit/issues/1841)) [@​renovate](https://redirect.github.com/renovate)\[bot] - [`b8bb6cf`](https://redirect.github.com/reactiveui/refit/commit/b8bb6cf1694f2c2b7fb958393a85a5ca3973fadf) chore(deps): update dependency verify.sourcegenerators to 2.4.3 ([#​1840](https://redirect.github.com/reactiveui/refit/issues/1840)) [@​renovate](https://redirect.github.com/renovate)\[bot] - [`ecb325d`](https://redirect.github.com/reactiveui/refit/commit/ecb325d0e8a5e8c65c4c543af16837c98eb354eb) chore(deps): update dependency verify.xunit to 26.4.4 ([#​1831](https://redirect.github.com/reactiveui/refit/issues/1831)) [@​renovate](https://redirect.github.com/renovate)\[bot] - [`30f41ac`](https://redirect.github.com/reactiveui/refit/commit/30f41acc5051869f76634d1bb898efc870cdb902) chore(deps): update dependency refit to 7.2.1 ([#​1844](https://redirect.github.com/reactiveui/refit/issues/1844)) [@​renovate](https://redirect.github.com/renovate)\[bot] - [`f02e004`](https://redirect.github.com/reactiveui/refit/commit/f02e0046cb0a4c26a493685f3e67e9fcf8e5f2b7) chore(deps): update dotnet monorepo ([#​1867](https://redirect.github.com/reactiveui/refit/issues/1867)) [@​renovate](https://redirect.github.com/renovate)\[bot] - [`24e0444`](https://redirect.github.com/reactiveui/refit/commit/24e0444a46a87c2242fa49edf67f9c05afa9d1b8) chore(deps): update dependency serilog to 4.1.0 ([#​1899](https://redirect.github.com/reactiveui/refit/issues/1899)) [@​renovate](https://redirect.github.com/renovate)\[bot] - [`101afad`](https://redirect.github.com/reactiveui/refit/commit/101afad98704342b2074bed59a3909971747a352) chore(deps): update dependency verify.xunit to 26.5.0 ([#​1851](https://redirect.github.com/reactiveui/refit/issues/1851)) [@​renovate](https://redirect.github.com/renovate)\[bot] ##### Contributions New contributors since the last release: [@​mithileshz](https://redirect.github.com/mithileshz), [@​ted-ccm](https://redirect.github.com/ted-ccm), [@​TeddyAssefa](https://redirect.github.com/TeddyAssefa) Thanks to all the contributors: [@​ChrisPulman](https://redirect.github.com/ChrisPulman), [@​marcominerva](https://redirect.github.com/marcominerva), [@​mithileshz](https://redirect.github.com/mithileshz), [@​sguryev](https://redirect.github.com/sguryev), [@​ted-ccm](https://redirect.github.com/ted-ccm), [@​TeddyAssefa](https://redirect.github.com/TeddyAssefa), [@​TimothyMakkison](https://redirect.github.com/TimothyMakkison) The following automated services have also contributed to this release: [@​renovate](https://redirect.github.com/renovate)\[bot]

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[AleksandarDev]

:tada: This PR is included in version 1.174.0-next.3 :tada:

The release is available on GitHub release

Your semantic-release bot :package::rocket:

[AleksandarDev]

:tada: This PR is included in version 1.174.0 :tada:

The release is available on GitHub release

Your semantic-release bot :package::rocket: