ruby-auth0 icon indicating copy to clipboard operation
ruby-auth0 copied to clipboard

Published 20 hours ago verified publisher icon auth0

GET requests are mutating the shared headers causing parameters to leak into subsequent requests

Open dnnyjns opened this issue 2 years ago • 1 comments

Describe the problem

GET requests are mutating the shared headers causing parameters to leak into subsequent requests. Relevant code where the headers are being mutated. https://github.com/auth0/ruby-auth0/blob/afc87a05c5c4a0d8a4d068efb37f87cdab72f3ef/lib/auth0/mixins/httpproxy.rb#L75-L76

Is there any reason why headers.merge(params: body) would not be used instead?

What was the expected behavior?

I would expect parameters from a GET request to not leak into subsequent POST/PATCH requests.

Reproduction

RestClient.log = 'stdout'

client = Auth0Client.new(
  client_id: AUTH0_CONFIG['client_id'],
  client_secret: AUTH0_CONFIG['client_secret'],
  api_identifier: AUTH0_CONFIG['api_identifier'],
  domain: AUTH0_CONFIG['domain'],
  api_version: 2,
  timeout: 15 
)

client.users_by_email("[email protected]")
# RestClient.get "https://****/api/v2/users-by-email?email=this_email_leaks_into_headers%40example.com", "Accept"=>"*/*", "Auth0-Client"=>"****", "Authorization"=>"Bearer ****", "Content-Type"=>"application/json"
# => 200 OK | application/json 2 bytes, 0.68s

client.create_user("Username-Password-Authentication", { email: "[email protected]" })
# RestClient.post "https://****/api/v2/users?email=this_email_leaks_into_headers%40example.com", "{\"email\":\"[email protected]\",\"connection\":\"Username-Password-Authentication\"}", "Accept"=>"*/*", "Auth0-Client"=>"****", "Authorization"=>"Bearer ****", "Content-Length"=>"85", "Content-Type"=>"application/json"
# => 400 BadRequest | application/json 104 bytes, 0.63s

Environment

  • Version of this library used: v5.8.0
  • Which framework are you using, if applicable: Rails
  • Other modules/plugins/libraries that might be involved:
  • Any other relevant information you think would be useful: Relevant code https://github.com/auth0/ruby-auth0/blob/afc87a05c5c4a0d8a4d068efb37f87cdab72f3ef/lib/auth0/mixins/httpproxy.rb#L75-L76

dnnyjns avatar Jun 17 '22 22:06 dnnyjns

Thanks for raising. I think expecting these values to not bleed into other requests is totally reasonable. I think those body headers could just be merged without merging them into the instance-level headers, but I worry that some might rely on this bug being there. I think we'll have the same problem as deletes as well.

Not ideal but, for now, you're able to clear the offending headers between requests using:

client.headers.delete :params

stevehobbsdev avatar Jun 21 '22 09:06 stevehobbsdev