Small header merging issue #1228
Description
Checklist
- I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
- I have looked into the API documentation and have not found a suitable solution or answer.
- I have searched the issues and have not found a suitable solution or answer.
- I have searched the Auth0 Community forums and have not found a suitable solution or answer.
- I agree to the terms within the Auth0 Code of Conduct.
Description
mergeHeaders and mergeOnlyDefinedHeaders in
do not normalize header names (no lower-casing) and treat null as a deletion instruction. A caller can supply headers.authorization (lowercase) or Authorization: null to create a duplicate/ambiguous Authorization header or to delete the SDK-provided Authorization header. This leads to ambiguous or unauthenticated requests depending on server handling and can be exploited in a single request to remove the intended SDK-managed identity or produce confusing header behavior.In addition to this, a caller can set for e.g. Authorization: null, which is treated as a deleted header. for e.g.
let _headers = mergeHeaders(
this._options?.headers, // 1) global
mergeOnlyDefinedHeaders({ Authorization: await this._getAuthorizationHeader() }), // 2) SDK auth
requestOptions?.headers, // 3) per-request
);
...
client.keys.customSigning.get({ headers: { Authorization: null } });
...
client.keys.customSigning.get({ headers: { authorization: "Basic attacker" } });
Reproduction
const defaults = { Authorization: "Bearer sdk-token" };
const user = { authorization: "Basic attacker" }; // different case
const merged = mergeHeaders(defaults, user);
// merged now has both keys:
// { Authorization: "Bearer sdk-token", authorization: "Basic attacker" }
// Downstream client will normalize and one wins.
Additional context
No response
node-auth0 version
latest
Node.js version
latest