Skip to content

fix(core): enforce https on custom proxy/cdnproxy urls#1300

Open
sunitaprajapati89 wants to merge 1 commit into
masterfrom
security-audit-fixes-core
Open

fix(core): enforce https on custom proxy/cdnproxy urls#1300
sunitaprajapati89 wants to merge 1 commit into
masterfrom
security-audit-fixes-core

Conversation

@sunitaprajapati89

Copy link
Copy Markdown
Contributor

Task:
Enforce HTTPS on custom proxy/cdnProxy URLs (write key sent over cleartext) ·

  • Where: packages/core/src/util.ts:261-288 (getURL/validateURL), consumed at SegmentDestination.ts:388 and analytics.ts:383.
  • Problem: getURL() only upgrades to https:// when the host has no scheme. An explicit http:// proxy/cdnProxy is preserved, and validateURL's regex allows https?://. uploadEvents() then POSTs { batch, sentAt, writeKey } — write key and all event PII — in cleartext to that host, exposed to on-path attackers. Default hosts are https, so this only bites with a misconfigured custom proxy, but the SDK permits the downgrade silently.
  • Fix: Reject or warn-and-upgrade http:// proxy/cdnProxy unless an explicit allowInsecureProxy opt-in is set. At minimum log a loud warning. Document that the write key + PII travel in the body.

What changes are done:

-[packages/core/src/util.ts] — getURL now throws on http:// unless allowInsecure=true is passed; logs a console.warn when the opt-in is used
-[packages/core/src/types.ts] — added allowInsecureProxy?: boolean to Config with a doc comment explaining the risk
-[packages/core/src/analytics.ts] — passes this.config.allowInsecureProxy to getURL for the CDN proxy path
-[packages/core/src/plugins/SegmentDestination.ts] — passes config?.allowInsecureProxy to getURL for the upload proxy path
-[packages/core/src/tests/util.test.ts] — two new tests covering the rejection and opt-in paths

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant