Responsible disclosure policy about node-http-link-header HOT 8 CLOSED

@JamieSlome because the email didn't contain any relevant information, but a bait-onto-platform link. I gave a few options wrt to contact about this issue, and none of them were used. Opening an issue for this, or simply describing the issue in an email would have sufficed. Nothing against the platform – I just can't be bothered to go look and weasel through yet another vuln reporting platform.

I did have a quick glance at the reported issue there back then, and if I remember correctly it is a non-linear time regex that becomes relevant if the link header goes into the tens of kilobytes. Given that the HTTP headers are limited in their size by the platforms this would be used on (8KB by default, configurable via --max-http-header-size or maxHeaderSize options for servers/streams in node for example), this issue shouldn't have any particular security impact, but rather only a performance impact if you're dealing with unreasonably large link headers. Denial of service due to this is unlikely, as you'd have to deliberately increase the max_header_size to values where you'll hit other problems before this.

You can take a look at the report directly here if you prefer:
https://huntr.dev/bounties/8f2097f2-fdfb-472a-91fa-8294a41f24c7/

This link does not work (anymore?)

from node-http-link-header.

Hey hey!

Just send me an email, and I'll have a look – alternatively you could file an issue with its contents encrypted against my GPG key (F13F42B764742BEBC71F0DFB3F33CC15EEB22F48) – whichever way is easiest / best for you.

My email address is on my profile, as well as the commits – GPG key(s) are available under https://github.com/jhermsmeier.gpg if needed – not sure a SECURITY.md is necessary for this, but sure can add one some time.

from node-http-link-header.

Any update on this?

from node-http-link-header.

@jhermsmeier - we sent an e-mail to you quite a while back but didn't get any response.

You can take a look at the report directly here if you prefer:
https://huntr.dev/bounties/8f2097f2-fdfb-472a-91fa-8294a41f24c7/

It is private and only accessible to you 👍

from node-http-link-header.

Hi everyone! @benharvie @JamieSlome thank you for reporting this.

I'm pinging this thread to understand if this security issue has evolved somehow 🤝

Thank you.

from node-http-link-header.

@jhermsmeier - been a while, and sorry that getting access to the contents of the report felt bait-y (certainly not our intention).

Are you happy for me to share the contents of the report here? Or open a new issue? I can even make the report URL public, as it is currently private.

Let me know what works best for you - I am here to support ❤️

EDIT: just wanted to double-check on the above before proceeding 👍

from node-http-link-header.

@JamieSlome indeed 😅

Are you happy for me to share the contents of the report here? Or open a new issue? I can even make the report URL public, as it is currently private.

Yes, and yes! Opening a new issue with the description and/or link to the public report would be best I think, if that's something you could do, that would be excellent :)

from node-http-link-header.

@jhermsmeier - great :)

I have made the report public, which can be read directly here:
https://huntr.dev/bounties/8f2097f2-fdfb-472a-91fa-8294a41f24c7/

from node-http-link-header.