http icon indicating copy to clipboard operation
http copied to clipboard
verified publisher icon httprb

Found a possible security concern

Open JamieSlome opened this issue 4 years ago • 6 comments

Hey there!

I belong to an open source security research community, and a member (@ranjit-git) has found an issue, but doesn’t know the best way to disclose it.

If not a hassle, might you kindly add a SECURITY.md file with an email, or another contact method? GitHub recommends this best practice to ensure security issues are responsibly disclosed, and it would serve as a simple instruction for security researchers in the future.

Thank you for your consideration, and I look forward to hearing from you!

(cc @huntr-helper)

JamieSlome avatar Jan 06 '22 18:01 JamieSlome

Please email me at [email protected] to follow up.

A SECURITY.md is a good idea as well.

tarcieri avatar Jan 06 '22 23:01 tarcieri

@tarcieri - thanks for the response!

If you prefer, you can view the report directly here:

https://huntr.dev/bounties/2282338f-f8f6-436c-92c7-fab8da8ff3ab/

It is private and only accessible to maintainers with repository write permissions 🤝

JamieSlome avatar Jan 07 '22 10:01 JamieSlome

Can you go ahead and open a public issue for this?

Since it relies on a trusted site redirecting to a potentially malicious site, it doesn't seem particularly exploitable to me.

cc @ranjit-git

tarcieri avatar Jan 08 '22 14:01 tarcieri

I also thought we were relying on HTTP::CookieJar's scoping rules... curious if it's actually an upstream bug in that? https://github.com/httprb/http/pull/613/files

Also related: #631

tarcieri avatar Jan 08 '22 14:01 tarcieri

I'll take a look this weekend.

ixti avatar Jan 08 '22 19:01 ixti