fix(proxy): strip Set-Cookie from upstream responses#475
Merged
Conversation
A paid API proxy must never let an upstream service set cookies in the user's browser under the proxy's own origin. Otherwise a compromised, misbehaving, or attacker-influenced upstream can return `Set-Cookie: session=evil; Domain=.example.com; Secure` and the browser will honor it for every sibling subdomain of the proxy — turning any future path-confusion or open-redirect bug in the surrounding deployment into a session-fixation primitive. Proxied services authenticate via bearer tokens or signed payloads, never cookies, so dropping `set-cookie` is purely defensive with no behavioral cost. Adds a regression test verifying both single- and multi-valued `Set-Cookie` headers (including the `getSetCookie` accessor) are removed while other headers pass through unchanged. Amp-Thread-ID: https://ampcode.com/threads/T-019e525a-a5a8-75ca-98e4-8ce9433a3a52
commit: |
GHSA-q8mj-m7cp-5q26 covers qs >=6.11.1 <=6.15.1 (DoS in qs.stringify). The existing override pinned to 6.14.2, which now falls inside the vulnerable range. Bumps the override range to <=6.15.1 and pins to the patched 6.15.2. Unblocks 'Checks' job (pnpm audit) on this branch and main. Amp-Thread-ID: https://ampcode.com/threads/T-019e525a-a5a8-75ca-98e4-8ce9433a3a52
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.