Merge pull request from GHSA-pgw7-wx7w-2w33

RafaelGSS · web-flow · commit df4f7e0e95f5 · 2022-06-13T12:47:29.000+02:00
* fix: add CONNECT Tunneling HTTP Proxy * test: add proxy agent http(s) tests * refactor: use build connector * refactor: remove secureProxy option * update: remove connection:close * test(proxy-agent): rename tests * test: use proxy/request tls option * types: add proxyTls and requestTls types * refactor: rename socket option to httpSocket * test(proxy-agent): include proxy.on request assert * update: add throwIfProxyAuth function * refactor: remove unnecessary return * refactor: make connect tunneling work with Client.connect * chore: add rsa:2048 key/crt Avoid skipping tests in OpenSSL 3.x (v18). Ref: c5b7d03 * chore: remove self-cert * fix: adjust CONNECT host header * update: use symbol for connectEndpoint
diff --git a/lib/api/api-connect.js b/lib/api/api-connect.js
@@ -15,7 +15,7 @@ class ConnectHandler extends AsyncResource {
       throw new InvalidArgumentError('invalid callback')
     }
 
-    const { signal, opaque, responseHeaders } = opts
+    const { signal, opaque, responseHeaders, httpTunnel } = opts
 
     if (signal && typeof signal.on !== 'function' && typeof signal.addEventListener !== 'function') {
       throw new InvalidArgumentError('signal must be an EventEmitter or EventTarget')
@@ -27,6 +27,7 @@ class ConnectHandler extends AsyncResource {
     this.responseHeaders = responseHeaders || null
     this.callback = callback
     this.abort = null
+    this.httpTunnel = httpTunnel
 
     addSignal(this, signal)
   }
@@ -40,8 +41,23 @@ class ConnectHandler extends AsyncResource {
     this.context = context
   }
 
-  onHeaders () {
-    throw new SocketError('bad connect', null)
+  onHeaders (statusCode) {
+    // when httpTunnel headers are allowed
+    if (this.httpTunnel) {
+      const { callback, opaque } = this
+      if (statusCode !== 200) {
+        if (callback) {
+          this.callback = null
+          const err = new RequestAbortedError('Proxy response !== 200 when HTTP Tunneling')
+          queueMicrotask(() => {
+            this.runInAsyncScope(callback, null, err, { opaque })
+          })
+        }
+        return 1
+      }
+    } else {
+      throw new SocketError('bad connect', null)
+    }
   }
 
   onUpgrade (statusCode, rawHeaders, socket) {
diff --git a/lib/core/connect.js b/lib/core/connect.js
@@ -21,7 +21,7 @@ function buildConnector ({ maxCachedSessions, socketPath, timeout, ...opts }) {
   timeout = timeout == null ? 10e3 : timeout
   maxCachedSessions = maxCachedSessions == null ? 100 : maxCachedSessions
 
-  return function connect ({ hostname, host, protocol, port, servername }, callback) {
+  return function connect ({ hostname, host, protocol, port, servername, httpSocket }, callback) {
     let socket
     if (protocol === 'https:') {
       if (!tls) {
@@ -39,6 +39,7 @@ function buildConnector ({ maxCachedSessions, socketPath, timeout, ...opts }) {
         ...options,
         servername,
         session,
+        socket: httpSocket, // upgrade socket connection
         port: port || 443,
         host: hostname
       })
@@ -65,6 +66,7 @@ function buildConnector ({ maxCachedSessions, socketPath, timeout, ...opts }) {
           }
         })
     } else {
+      assert(!httpSocket, 'httpSocket can only be sent on TLS update')
       socket = net.connect({
         highWaterMark: 64 * 1024, // Same as nodejs fs streams.
         ...options,
diff --git a/lib/core/request.js b/lib/core/request.js
@@ -48,7 +48,11 @@ class Request {
   }, handler) {
     if (typeof path !== 'string') {
       throw new InvalidArgumentError('path must be a string')
-    } else if (path[0] !== '/' && !(path.startsWith('http://') || path.startsWith('https://'))) {
+    } else if (
+      path[0] !== '/' &&
+      !(path.startsWith('http://') || path.startsWith('https://')) &&
+      method !== 'CONNECT'
+    ) {
       throw new InvalidArgumentError('path must be an absolute URL or start with a slash')
     }
 
diff --git a/lib/proxy-agent.js b/lib/proxy-agent.js
@@ -1,41 +1,84 @@
 'use strict'
 
 const { kProxy, kClose, kDestroy } = require('./core/symbols')
+const Client = require('./agent')
 const Agent = require('./agent')
 const DispatcherBase = require('./dispatcher-base')
 const { InvalidArgumentError } = require('./core/errors')
+const buildConnector = require('./core/connect')
 
 const kAgent = Symbol('proxy agent')
+const kClient = Symbol('proxy client')
+const kProxyHeaders = Symbol('proxy headers')
+const kRequestTls = Symbol('request tls settings')
+const kProxyTls = Symbol('proxy tls settings')
+const kConnectEndpoint = Symbol('connect endpoint function')
 
 class ProxyAgent extends DispatcherBase {
   constructor (opts) {
     super(opts)
     this[kProxy] = buildProxyOptions(opts)
-    this[kAgent] = new Agent(opts)
+    this[kRequestTls] = opts.requestTls
+    this[kProxyTls] = opts.proxyTls
+    this[kProxyHeaders] = {}
+
+    if (opts.auth) {
+      this[kProxyHeaders]['proxy-authorization'] = `Basic ${opts.auth}`
+    }
+
+    const connect = buildConnector({ ...opts.proxyTls })
+    this[kConnectEndpoint] = buildConnector({ ...opts.requestTls })
+    this[kClient] = new Client({ origin: opts.origin, connect })
+    this[kAgent] = new Agent({ ...opts, connect: this.connectTunnel.bind(this) })
   }
 
   dispatch (opts, handler) {
     const { host } = new URL(opts.origin)
+    const headers = buildHeaders(opts.headers)
+    throwIfProxyAuthIsSent(headers)
     return this[kAgent].dispatch(
       {
         ...opts,
-        origin: this[kProxy].uri,
-        path: opts.origin + opts.path,
         headers: {
-          ...buildHeaders(opts.headers),
+          ...headers,
           host
         }
       },
       handler
     )
   }
 
+  async connectTunnel (opts, callback) {
+    try {
+      const { socket } = await this[kClient].connect({
+        origin: this[kProxy].origin,
+        port: this[kProxy].port,
+        path: opts.host,
+        signal: opts.signal,
+        headers: {
+          ...this[kProxyHeaders],
+          host: opts.host
+        },
+        httpTunnel: true
+      })
+      if (opts.protocol !== 'https:') {
+        callback(null, socket)
+        return
+      }
+      this[kConnectEndpoint]({ ...opts, servername: this[kRequestTls]?.servername || opts.servername, httpSocket: socket }, callback)
+    } catch (err) {
+      callback(err)
+    }
+  }
+
   async [kClose] () {
     await this[kAgent].close()
+    await this[kClient].close()
   }
 
   async [kDestroy] () {
     await this[kAgent].destroy()
+    await this[kClient].destroy()
   }
 }
 
@@ -48,10 +91,7 @@ function buildProxyOptions (opts) {
     throw new InvalidArgumentError('Proxy opts.uri is mandatory')
   }
 
-  return {
-    uri: opts.uri,
-    protocol: opts.protocol || 'https'
-  }
+  return new URL(opts.uri)
 }
 
 /**
@@ -75,4 +115,20 @@ function buildHeaders (headers) {
   return headers
 }
 
+/**
+ * @param {Record<string, string>} headers
+ *
+ * Previous versions of ProxyAgent suggests the Proxy-Authorization in request headers
+ * Nevertheless, it was changed and to avoid a security vulnerability by end users
+ * this check was created.
+ * It should be removed in the next major version for performance reasons
+ */
+function throwIfProxyAuthIsSent (headers) {
+  const existProxyAuth = headers && Object.keys(headers)
+    .find((key) => key.toLowerCase() === 'proxy-authorization')
+  if (existProxyAuth) {
+    throw new InvalidArgumentError('Proxy-Authorization should be sent in ProxyAgent constructor')
+  }
+}
+
 module.exports = ProxyAgent
diff --git a/test/fixtures/client-crt-2048.pem b/test/fixtures/client-crt-2048.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDkzCCAnugAwIBAgIUF2CLbUCxPnxARRlO7pANiXtZoLIwDQYJKoZIhvcNAQEL
+BQAwWTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
+GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDESMBAGA1UEAwwJbG9jYWxob3N0MB4X
+DTIyMDYwOTE0Mzc0N1oXDTI1MDMwNDE0Mzc0N1owWTELMAkGA1UEBhMCQVUxEzAR
+BgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5
+IEx0ZDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEA4PbcFnMY0FC1wzsyMf04GhOx/KNcOalHu4Wy76Wys+WoJ6hO5z87
+ZIcmsg0hbys1l6DGxloTXeZwcBDoOndUg3FBZvAXRKimhXA7Qf31a9efq9GXic2W
+7Kyn1jPa724Vkr/zzlWb5I/Qkk6xcQmEFCDhilbMtpnPz/BwOwn/2vbcbiHNirUk
+Dn+s0pUcQlin1f2AR4Jq7/K1xsqjjB6cU0chuzrwzwrglQS7jpXQxCsRaAAIZQJB
+DTVQBEo/skqWwv8xABlVQgolxABIX3Wc3RUk7xRItdWCMe92/BJCGhWVXb2hUCBu
+y/yz5hX9p353JlxmXEKQlhfPzhcdDv2sdwIDAQABo1MwUTAdBgNVHQ4EFgQUQ0di
+dFnBDLhSDgHpM+/KBn+WmI4wHwYDVR0jBBgwFoAUQ0didFnBDLhSDgHpM+/KBn+W
+mI4wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAoCQJci8G+cUF
+n030frY/OgnLJXUGC2ed9Tu+dYhEE7XQkX9WO3IK8As+jGY0kKzX7ZsvWAHHbSa3
+8qmHh1vWflU9HEc0MO0Toy6Ale2/BCjs0Oy3q2vd6t9pl3Pq2JTHyJNYu44h45we
+ufQ+ttylHGZSmAqeHz4yGp1xVvjbfriDYuc0kW9UTwMpdpzR9RmqQEVD4ySxpuYV
+FTj/ZiY89GdIJvsz1pmAhTUcUfuMgSlWS1nt0YR4yMkFS8KqQ1iKEApjrdDCU48W
+eABaPeTCUlBCFEDuKxFVPduYVVvOHtkX/8LPH3CO7EDMoSZ1iCDZ7b2+AZbwh9j+
+dXqw+WFi7w==
+-----END CERTIFICATE-----
diff --git a/test/fixtures/client-key-2048.pem b/test/fixtures/client-key-2048.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA4PbcFnMY0FC1wzsyMf04GhOx/KNcOalHu4Wy76Wys+WoJ6hO
+5z87ZIcmsg0hbys1l6DGxloTXeZwcBDoOndUg3FBZvAXRKimhXA7Qf31a9efq9GX
+ic2W7Kyn1jPa724Vkr/zzlWb5I/Qkk6xcQmEFCDhilbMtpnPz/BwOwn/2vbcbiHN
+irUkDn+s0pUcQlin1f2AR4Jq7/K1xsqjjB6cU0chuzrwzwrglQS7jpXQxCsRaAAI
+ZQJBDTVQBEo/skqWwv8xABlVQgolxABIX3Wc3RUk7xRItdWCMe92/BJCGhWVXb2h
+UCBuy/yz5hX9p353JlxmXEKQlhfPzhcdDv2sdwIDAQABAoIBAFVfeaCPZ2BO8Nu5
+UFBGP48t4EL3H93GDzHsCD8IC+xXgFwkdGUvyvNYkufJMeIFbN4xJp5JusXM2Oi+
+kdL2TD1hsqdFAB+PPTqwn9xoa0XU24SSEsc6HUeOMleI8FIi3c8GR5kLRhEUPtv3
+P0GdkeEtpUohrKizcHkCTyUoo09N35MFoH3Nb1iyMd10uq0iQlusljkTuukcHstK
+MZQAYYcslqzyz9468O/cvsk23Ynd5FfjLgYKmdJ09qaxm4ptnF9NNJ2cLqwElbUF
+xI3H5L/t1zxdwI0xZFFgDA4Ccpeq9QsRhRJGAOV94tN+4PxWXEPeQk4PM1EFDrNU
+yysi/XkCgYEA+ElKG6cWQZydsb5Tk1vdJ/k18gZa5sv+WUGXkfm9EVecftGjtKQO
+c7GwHO1IsLoZkhKfPpa/oifBR97DZRzw1ManEQPS980TZYei3Y9/8uPEpvgvRmm9
+MCHA5wp6YMlkZ5VN0SBRWnPhLtZ8L2/cqHOUCQf6YsIJU9/fewufrbUCgYEA5/QU
+/tDBDl/f4A2R1HlIkGd1jS//CJLCc3riy0SQxcWIq6/cqflyfvRWiax5DwcO7qfh
+3WbJldu9H0IWZjBCqX0v/jHvWBzaKNQCKbFFcL76Lr8bJCwlUMTH9MOhHf3uCOHD
+J7YSTVJdvgzLN8K6yFhc0gI4VYQtnQTWJENObPsCgYEAlawAq6jO5uCVw3dbhGKF
+cDpwBaVFGQpyGrZKu6nUCudIpL6VtCiNubqs0tNL1ZVqIr9tFdrkTMkwX7XvDj4j
+A/F49u3aOJ18iuD4Eh4WYIJjos/MF+NYM/K1CdIsMbpV94dusJmN0Tw3y/dqR2Jk
+n3uFCuivTOdxngk//DnmmV0CgYEA1CXNUiZSfLg5xe4DVEc9lD3cKS8d3pSEXySk
+6+8hTpHV59moRJpPG0iVIcRq0NDO2n8YOOy7MWJSPpWucPZw8h362E6Jr5hr/G20
+MLffYDh8EGdgBpyN4Kqqi/allQ3cOalrWhXP9YKBFMMU10I2nekbtESti6GiKnvy
+9CXPRCMCgYBZ2w+VVdhUUBA/elbuEdfbPwIYVDAk31PYg0c9jvQVusmfD1CuY/51
+JVsF5oJSosiN7WdDIETkklth0q3lAsQBKoYYMUw54RBf6FawoumB6MVdc3u4y9Ko
+l9JC9czdEqb/e0LBqFiWsrtPk9WQf2gyN1mIXQPbyTT1O1J+DvUIbQ==
+-----END RSA PRIVATE KEY-----
diff --git a/test/proxy-agent.js b/test/proxy-agent.js
diff --git a/test/types/proxy-agent.test-d.ts b/test/types/proxy-agent.test-d.ts
diff --git a/types/proxy-agent.d.ts b/types/proxy-agent.d.ts
