brokenhandsio/VaporSecurityHeaders

Host poisoning issue in HTTPSRedirectMiddleware

Closed this issue · 0 comments

EvanHahn commented

The HTTPSRedirectMiddleware may be vulnerable to a Host header injection attack.

VaporSecurityHeaders/Sources/VaporSecurityHeaders/Configurations/HTTPSRedirectMiddleware.swift

Lines 17 to 21 in 732edf8

guard let host = request.headers.first(name: .host) else {
return request.eventLoop.makeFailedFuture(Abort(.badRequest))
}
let httpsURL = "https://" + host + "\(request.url)"
return request.redirect(to: "\(httpsURL)", type: .permanent).encodeResponse(for: request)

I'm not sure of the best way to solve this. One way could be to copy Django's ALLOWED_HOSTS setting.