Headline
CVE-2022-41919: Merge pull request from GHSA-3fjj-p79j-c9hh · fastify/fastify@62dde76
Fastify is a web framework with minimal overhead and plugin architecture.
The attacker can use the incorrect Content-Type to bypass the Pre-Flight checking of fetch. fetch() requests with Content-Type’s essence as "application/x-www-form-urlencoded", "multipart/form-data", or "text/plain", could potentially be used to invoke routes that only accepts application/json content type, thus bypassing any CORS protection, and therefore they could lead to a Cross-Site Request Forgery attack. This issue has been patched in version 4.10.2 and 3.29.4. As a workaround, implement Cross-Site Request Forgery protection using `@fastify/csrf’.
@@ -395,3 +395,217 @@ test('Safeguard against malicious content-type / 3’, async t => {
t.same(response.statusCode, 415) })
test('Safeguard against content-type spoofing - string’, async t => { t.plan(1)
const fastify = Fastify() fastify.removeAllContentTypeParsers() fastify.addContentTypeParser('text/plain’, function (request, body, done) { t.pass(‘should be called’) done(null, body) }) fastify.addContentTypeParser('application/json’, function (request, body, done) { t.fail(‘shouldn\’t be called’) done(null, body) })
fastify.post('/’, async () => { return ‘ok’ })
await fastify.inject({ method: 'POST’, path: '/’, headers: { 'content-type’: ‘text/plain; content-type="application/json"’ }, body: ‘’ }) })
test('Safeguard against content-type spoofing - regexp’, async t => { t.plan(1)
const fastify = Fastify() fastify.removeAllContentTypeParsers() fastify.addContentTypeParser(/text\/plain/, function (request, body, done) { t.pass(‘should be called’) done(null, body) }) fastify.addContentTypeParser(/application\/json/, function (request, body, done) { t.fail(‘shouldn\’t be called’) done(null, body) })
fastify.post('/’, async () => { return ‘ok’ })
await fastify.inject({ method: 'POST’, path: '/’, headers: { 'content-type’: ‘text/plain; content-type="application/json"’ }, body: ‘’ }) })
test('content-type match parameters - string 1’, async t => { t.plan(1)
const fastify = Fastify() fastify.removeAllContentTypeParsers() fastify.addContentTypeParser('text/plain; charset=utf8’, function (request, body, done) { t.fail(‘shouldn\’t be called’) done(null, body) }) fastify.addContentTypeParser('application/json; charset=utf8’, function (request, body, done) { t.pass(‘should be called’) done(null, body) })
fastify.post('/’, async () => { return ‘ok’ })
await fastify.inject({ method: 'POST’, path: '/’, headers: { 'content-type’: ‘application/json; charset=utf8’ }, body: ‘’ }) })
test('content-type match parameters - string 2’, async t => { t.plan(1)
const fastify = Fastify() fastify.removeAllContentTypeParsers() fastify.addContentTypeParser('application/json; charset=utf8; foo=bar’, function (request, body, done) { t.pass(‘should be called’) done(null, body) }) fastify.addContentTypeParser('text/plain; charset=utf8; foo=bar’, function (request, body, done) { t.fail(‘shouldn\’t be called’) done(null, body) })
fastify.post('/’, async () => { return ‘ok’ })
await fastify.inject({ method: 'POST’, path: '/’, headers: { 'content-type’: ‘application/json; foo=bar; charset=utf8’ }, body: ‘’ }) })
test('content-type match parameters - regexp’, async t => { t.plan(1)
const fastify = Fastify() fastify.removeAllContentTypeParsers() fastify.addContentTypeParser(/application\/json; charset=utf8/, function (request, body, done) { t.pass(‘should be called’) done(null, body) })
fastify.post('/’, async () => { return ‘ok’ })
await fastify.inject({ method: 'POST’, path: '/’, headers: { 'content-type’: ‘application/json; charset=utf8’ }, body: ‘’ }) })
test('content-type fail when parameters not match - string 1’, async t => { t.plan(1)
const fastify = Fastify() fastify.removeAllContentTypeParsers() fastify.addContentTypeParser('application/json; charset=utf8; foo=bar’, function (request, body, done) { t.fail(‘shouldn\’t be called’) done(null, body) })
fastify.post('/’, async () => { return ‘ok’ })
const response = await fastify.inject({ method: 'POST’, path: '/’, headers: { 'content-type’: ‘application/json; charset=utf8’ }, body: ‘’ })
t.same(response.statusCode, 415) })
test('content-type fail when parameters not match - string 2’, async t => { t.plan(1)
const fastify = Fastify() fastify.removeAllContentTypeParsers() fastify.addContentTypeParser('application/json; charset=utf8; foo=bar’, function (request, body, done) { t.fail(‘shouldn\’t be called’) done(null, body) })
fastify.post('/’, async () => { return ‘ok’ })
const response = await fastify.inject({ method: 'POST’, path: '/’, headers: { 'content-type’: ‘application/json; charset=utf8; foo=baz’ }, body: ‘’ })
t.same(response.statusCode, 415) })
test('content-type fail when parameters not match - regexp’, async t => { t.plan(1)
const fastify = Fastify() fastify.removeAllContentTypeParsers() fastify.addContentTypeParser(/application\/json; charset=utf8; foo=bar/, function (request, body, done) { t.fail(‘shouldn\’t be called’) done(null, body) })
fastify.post('/’, async () => { return ‘ok’ })
const response = await fastify.inject({ method: 'POST’, path: '/’, headers: { 'content-type’: ‘application/json; charset=utf8’ }, body: ‘’ })
t.same(response.statusCode, 415) })
Related news
### Impact The attacker can use the incorrect `Content-Type` to bypass the `Pre-Flight` checking of `fetch`. `fetch()` requests with Content-Type’s [essence](https://mimesniff.spec.whatwg.org/#mime-type-essence) as "application/x-www-form-urlencoded", "multipart/form-data", or "text/plain", could potentially be used to invoke routes that only accepts `application/json` content type, thus bypassing any [CORS protection](https://fetch.spec.whatwg.org/#simple-header), and therefore they could lead to a Cross-Site Request Forgery attack. ### Patches For `4.x` users, please update to at least `4.10.2`. For `3.x` users, please update to at least `3.29.4`. ### Workarounds Implement Cross-Site Request Forgery protection using [`@fastify/csrf`](https://www.npmjs.com/package/@fastify/csrf). ### References Check out the HackerOne report: https://hackerone.com/reports/1763832. ### For more information [Fastify security policy](https://github.com/fastify/fastify/security/policy)