chore(deps): update dependency refit to v8 [security] by renovate[bot] · Pull Request #1912 · reactiveui/refit
This PR contains the following updates:
| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| Refit | 7.2.1 -> 8.0.0 |
GitHub Vulnerability Alerts
CVE-2024-51501
Summary
The various header-related Refit attributes (Header, HeaderCollection and Authorize) are vulnerable to CRLF injection.
Details
The way HTTP headers are added to a request is via the HttpHeaders.TryAddWithoutValidation method:
| var added = request.Headers.TryAddWithoutValidation(name, value); |
This method does not check for CRLF characters in the header value.
This means that any headers added to a refit request are vulnerable to CRLF-injection. In general, CRLF-injection into a HTTP header (when using HTTP/1.1) means that one can inject additional HTTP headers or smuggle whole HTTP requests.
PoC
The below example code creates a console app that takes one command line variable (a bearer token) and then makes a request to some status page with the provided token inserted in the "Authorization" header:
using Refit; internal class Program { private static void Main(string[] args) { // Usage: dotnet run <bearer token> string token = args[0]; var service = RestService.For<IStatusApi>("http://insert.some.site.here"); string response = service.GetStatus(token).Result; Console.WriteLine($"Response: {response}"); } public interface IStatusApi { [Get("/status")] Task<string> GetStatus([Authorize("Bearer")] string token); } }
This application is now vulnerable to CRLF-injection, and can thus be abused to for example perform request splitting and thus server side request forgery (SSRF):
anonymous@ubuntu-sofia-672448:~$ dotnet Refit-cli.dll $'test\r\nUser-Agent: injected header!\r\n\r\nGET /smuggled HTTP/1.1\r\nHost: insert.some.site.here' Response: <html></html>
The application intends to send a single request of the form:
GET /status HTTP/1.1 Host: insert.some.site.here Authorization: Bearer <bearer token>
But as the application is vulnerable to CRLF injection the above command will instead result in the following two requests being sent:
GET /status HTTP/1.1 Host: insert.some.site.here Authorization: Bearer test User-Agent: injected header!
and
GET /smuggled HTTP/1.1 Host: insert.some.site.here
This can be confirmed by checking the access logs on the server where these commands were run (with insert.some.site.here pointing to localhost):
anonymous@ubuntu-sofia-672448:~$ sudo tail /var/log/apache2/access.log 127.0.0.1 - - [29/Aug/2024:12:17:34 +0000] "GET /status HTTP/1.1" 200 240 "-" "injected header!" 127.0.0.1 - - [29/Aug/2024:12:17:34 +0000] "GET /smuggled HTTP/1.1" 404 436 "-" "-"
Impact
If an application using the Refit library passes a user-controllable value through to a header, then that application becomes vulnerable to CRLF-injection. This is not necessarily a security issue for a command line application like the one above, but if such code were present in a web application then it becomes vulnerable to request splitting (as shown in the PoC) and thus Server Side Request Forgery.
Strictly speaking this is a potential vulnerability in applications using Refit, not in Refit itself, but I would argue that at the very least there needs to be a warning about this behaviour in the Refit documentation.
Release Notes
reactiveui/refit (Refit)
v8.0.0
Features
ebc7954feat: add parameter substitution tests (#1896) @ChrisPulman @TimothyMakkison0ba7394feat: addUniqueNameBuilder(#1894) @TimothyMakkisonc1d7aa1feat: add more incremental tests (#1871) @TimothyMakkison606a6c6feat: added nullable and parameter tests (#1863) @ChrisPulman @TimothyMakkisonfaa1f68feat: added source gen tests for generic constraints (#1859) @TimothyMakkison7e53d81feat: fix invalidunmanaged structconstraint generation (#1861) @ChrisPulman @TimothyMakkison93b4ee2feat: add non refit method raises diagnostic test (#1860) @ChrisPulman @TimothyMakkisond03121dfeat: addIDisposabletest (#1855) @TimothyMakkison6de1dbbfeat: changeIPerformanceServiceto returnHttpResponseMessage(#1893) @TimothyMakkison27b436cfeat: added larger benchmark (#1848) @ChrisPulman @TimothyMakkison7ea950afeat: addReflectionTestsforIUrlParameterFormatter(#1888) @TimothyMakkisona831dacfeat: addShouldNotEmitFilestest (#1843) @TimothyMakkison56d7bcdfeat: generate code for derived non refit methods and update tests. (#1875) @TimothyMakkisonf2ab216feat: add incremental generator tests (#1829) @ChrisPulman @TimothyMakkisona01cb84feat: addRestServiceExceptions(#1886) @TimothyMakkison396c2bffeat: added default interface method tests (#1881) @TimothyMakkisonc72fa3afeat: upgrade roslyn 4.0 to 4.1 (#1828) @ChrisPulman @TimothyMakkisonb32c305feat: added derived type argument tests (#1883) @TimothyMakkison26cfb28feat: add incremental generator (#1864) @TimothyMakkison
Refactoring
1869ca6refactor: move diagnostics to dedicated class (#1842) @ChrisPulman @TimothyMakkison
Fixes
84d226fFix for unused reference System.Net.Http (#1830) @ChrisPulman040ecc6Fix some typos in the codebase (#1852) @ChrisPulman @mithileshz483b1d8Fix for CRLF injection vulnerability (#1834) @ChrisPulman
General Changes
057ba9eHousekeeping fix some of the code analyser warnings (#1869) @ChrisPulmanb6f8eebchore: added generic constrained method tests (#1868) @TimothyMakkisonf7f9c00Housekeeping fix some of the code analyser warnings (#1866) @ChrisPulman418092eHousekeeping Update Version for release @ChrisPulman9b19657Housekeeping Fix API Tests (#1865) @ChrisPulman2c2e596Housekeeping Update build (#1835) @ChrisPulman30664b6chore: update toMicrosoft.CodeAnalysis.CSharpto4.1.0(#1857) @ChrisPulman @TimothyMakkison6cb59cfchore: target correct StubGenerator (#1847) @ChrisPulman @TimothyMakkison2978e37Update release.yml (#1839) @ChrisPulman5df30d9chore: upgradeVerify.SourceGeneratorsand update tests (#1874) @ChrisPulman @TimothyMakkison
Dependencies
8861decchore(deps): update dependency microsoft.codeanalysis.csharp.workspaces to 4.12.0-3.24476.2 (#1849) @renovate[bot]2d2169cchore(deps): update dependency verify.xunit to v27 (#1890) @ChrisPulman @renovate[bot]440e236chore(deps): update dependency xunit to 2.9.1 (#1858) @renovate[bot]1183b0dchore(deps): update dependency verify.xunit to 26.4.2 (#1827) @renovate[bot]8b915fachore(deps): update dependency verify.xunit to 26.6.0 (#1854) @renovate[bot]58992b0chore(deps): update dotnet monorepo (#1836) @renovate[bot]ef9b830chore(deps): update dependency system.text.json to 8.0.5 [security] (#1873) @renovate[bot]48d1256chore(deps): update dependency xunit to 2.9.2 (#1870) @renovate[bot]9619841chore(deps): update dependency nerdbank.gitversioning to 3.6.146 (#1895) @renovate[bot]10bd63achore(deps): update dependency serilog to 4.0.2 (#1872) @renovate[bot]f7feafcchore(deps): update dependency verify.diffplex to 3.1.2 (#1887) @renovate[bot]9c4dbc3chore(deps): update dependency verify.sourcegenerators to 2.4.2 (#1833) @renovate[bot]704ee4cchore(deps): update dependency microsoft.codeanalysis.csharp.workspaces to 4.12.0-3.24463.9 (#1838) @renovate[bot]2b8fca6chore(deps): update dependency microsoft.codeanalysis.csharp.workspaces to 4.12.0-3.24466.4 (#1845) @ChrisPulman @renovate[bot]fd0dd65chore(deps): update dependency verify.xunit to 26.4.5 (#1841) @renovate[bot]b8bb6cfchore(deps): update dependency verify.sourcegenerators to 2.4.3 (#1840) @renovate[bot]ecb325dchore(deps): update dependency verify.xunit to 26.4.4 (#1831) @renovate[bot]30f41acchore(deps): update dependency refit to 7.2.1 (#1844) @renovate[bot]f02e004chore(deps): update dotnet monorepo (#1867) @renovate[bot]24e0444chore(deps): update dependency serilog to 4.1.0 (#1899) @renovate[bot]101afadchore(deps): update dependency verify.xunit to 26.5.0 (#1851) @renovate[bot]
Contributions
New contributors since the last release: @mithileshz, @ted-ccm, @TeddyAssefa
Thanks to all the contributors: @ChrisPulman, @marcominerva, @mithileshz, @sguryev, @ted-ccm, @TeddyAssefa, @TimothyMakkison
The following automated services have also contributed to this release: @renovate[bot]
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
- If you want to rebase/retry this PR, check this box
This PR was generated by Mend Renovate. View the repository job log.