Update dependency Refit to v8 [SECURITY] - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
Refit	7.2.1 -> 8.0.0

GitHub Vulnerability Alerts

CVE-2024-51501

Summary

The various header-related Refit attributes (Header, HeaderCollection and Authorize) are vulnerable to CRLF injection.

Details

The way HTTP headers are added to a request is via the HttpHeaders.TryAddWithoutValidation method: https://github.com/reactiveui/refit/blob/258a771f44417c6e48e103ac921fe4786f3c2a1e/Refit/RequestBuilderImplementation.cs#L1328
This method does not check for CRLF characters in the header value.

This means that any headers added to a refit request are vulnerable to CRLF-injection. In general, CRLF-injection into a HTTP header (when using HTTP/1.1) means that one can inject additional HTTP headers or smuggle whole HTTP requests.

PoC

The below example code creates a console app that takes one command line variable (a bearer token) and then makes a request to some status page with the provided token inserted in the "Authorization" header:

using Refit;

internal class Program
{
    private static void Main(string[] args)
    {
        // Usage: dotnet run <bearer token> 
        string token = args[0];
        var service = RestService.For<IStatusApi>("http://insert.some.site.here");
        string response = service.GetStatus(token).Result;
        Console.WriteLine($"Response: {response}");
    }

    public interface IStatusApi
    {
        [Get("/status")]
        Task<string> GetStatus([Authorize("Bearer")] string token);
    }
}

This application is now vulnerable to CRLF-injection, and can thus be abused to for example perform request splitting and thus server side request forgery (SSRF):

anonymous@ubuntu-sofia-672448:~$ dotnet Refit-cli.dll $'test\r\nUser-Agent: injected header!\r\n\r\nGET /smuggled HTTP/1.1\r\nHost: insert.some.site.here'
Response: <html></html>

The application intends to send a single request of the form:

GET /status HTTP/1.1
Host: insert.some.site.here
Authorization: Bearer <bearer token>

But as the application is vulnerable to CRLF injection the above command will instead result in the following two requests being sent:

GET /status HTTP/1.1
Host: insert.some.site.here
Authorization: Bearer test
User-Agent: injected header!

and

GET /smuggled HTTP/1.1
Host: insert.some.site.here

This can be confirmed by checking the access logs on the server where these commands were run (with insert.some.site.here pointing to localhost):

anonymous@ubuntu-sofia-672448:~$ sudo tail /var/log/apache2/access.log
127.0.0.1 - - [29/Aug/2024:12:17:34 +0000] "GET /status HTTP/1.1" 200 240 "-" "injected header!"
127.0.0.1 - - [29/Aug/2024:12:17:34 +0000] "GET /smuggled HTTP/1.1" 404 436 "-" "-"

Impact

If an application using the Refit library passes a user-controllable value through to a header, then that application becomes vulnerable to CRLF-injection. This is not necessarily a security issue for a command line application like the one above, but if such code were present in a web application then it becomes vulnerable to request splitting (as shown in the PoC) and thus Server Side Request Forgery.

Strictly speaking this is a potential vulnerability in applications using Refit, not in Refit itself, but I would argue that at the very least there needs to be a warning about this behaviour in the Refit documentation.

---

Release Notes

reactiveui/refit (Refit)

v8.0.0

Compare Source

Features

• ebc7954 feat: add parameter substitution tests (#​1896) @​ChrisPulman @​TimothyMakkison
• 0ba7394 feat: add UniqueNameBuilder (#​1894) @​TimothyMakkison
• c1d7aa1 feat: add more incremental tests (#​1871) @​TimothyMakkison
• 606a6c6 feat: added nullable and parameter tests (#​1863) @​ChrisPulman @​TimothyMakkison
• faa1f68 feat: added source gen tests for generic constraints (#​1859) @​TimothyMakkison
• 7e53d81 feat: fix invalid unmanaged struct constraint generation (#​1861) @​ChrisPulman @​TimothyMakkison
• 93b4ee2 feat: add non refit method raises diagnostic test (#​1860) @​ChrisPulman @​TimothyMakkison
• d03121d feat: add IDisposable test (#​1855) @​TimothyMakkison
• 6de1dbb feat: change IPerformanceService to return HttpResponseMessage (#​1893) @​TimothyMakkison
• 27b436c feat: added larger benchmark (#​1848) @​ChrisPulman @​TimothyMakkison
• 7ea950a feat: add ReflectionTests for IUrlParameterFormatter (#​1888) @​TimothyMakkison
• a831dac feat: add ShouldNotEmitFiles test (#​1843) @​TimothyMakkison
• 56d7bcd feat: generate code for derived non refit methods and update tests. (#​1875) @​TimothyMakkison
• f2ab216 feat: add incremental generator tests (#​1829) @​ChrisPulman @​TimothyMakkison
• a01cb84 feat: add RestServiceExceptions (#​1886) @​TimothyMakkison
• 396c2bf feat: added default interface method tests (#​1881) @​TimothyMakkison
• c72fa3a feat: upgrade roslyn 4.0 to 4.1 (#​1828) @​ChrisPulman @​TimothyMakkison
• b32c305 feat: added derived type argument tests (#​1883) @​TimothyMakkison
• 26cfb28 feat: add incremental generator (#​1864) @​TimothyMakkison

Refactoring

• 1869ca6 refactor: move diagnostics to dedicated class (#​1842) @​ChrisPulman @​TimothyMakkison

Fixes

• 84d226f Fix for unused reference System.Net.Http (#​1830) @​ChrisPulman
• 040ecc6 Fix some typos in the codebase (#​1852) @​ChrisPulman @​mithileshz
• 483b1d8 Fix for CRLF injection vulnerability (#​1834) @​ChrisPulman

General Changes

• 057ba9e Housekeeping fix some of the code analyser warnings (#​1869) @​ChrisPulman
• b6f8eeb chore: added generic constrained method tests (#​1868) @​TimothyMakkison
• f7f9c00 Housekeeping fix some of the code analyser warnings (#​1866) @​ChrisPulman
• 418092e Housekeeping Update Version for release @​ChrisPulman
• 9b19657 Housekeeping Fix API Tests (#​1865) @​ChrisPulman
• 2c2e596 Housekeeping Update build (#​1835) @​ChrisPulman
• 30664b6 chore: update to Microsoft.CodeAnalysis.CSharp to 4.1.0 (#​1857) @​ChrisPulman @​TimothyMakkison
• 6cb59cf chore: target correct StubGenerator (#​1847) @​ChrisPulman @​TimothyMakkison
• 2978e37 Update release.yml (#​1839) @​ChrisPulman
• 5df30d9 chore: upgrade Verify.SourceGenerators and update tests (#​1874) @​ChrisPulman @​TimothyMakkison

Dependencies

• 8861dec chore(deps): update dependency microsoft.codeanalysis.csharp.workspaces to 4.12.0-3.24476.2 (#​1849) @​renovate[bot]
• 2d2169c chore(deps): update dependency verify.xunit to v27 (#​1890) @​ChrisPulman @​renovate[bot]
• 440e236 chore(deps): update dependency xunit to 2.9.1 (#​1858) @​renovate[bot]
• 1183b0d chore(deps): update dependency verify.xunit to 26.4.2 (#​1827) @​renovate[bot]
• 8b915fa chore(deps): update dependency verify.xunit to 26.6.0 (#​1854) @​renovate[bot]
• 58992b0 chore(deps): update dotnet monorepo (#​1836) @​renovate[bot]
• ef9b830 chore(deps): update dependency system.text.json to 8.0.5 [security] (#​1873) @​renovate[bot]
• 48d1256 chore(deps): update dependency xunit to 2.9.2 (#​1870) @​renovate[bot]
• 9619841 chore(deps): update dependency nerdbank.gitversioning to 3.6.146 (#​1895) @​renovate[bot]
• 10bd63a chore(deps): update dependency serilog to 4.0.2 (#​1872) @​renovate[bot]
• f7feafc chore(deps): update dependency verify.diffplex to 3.1.2 (#​1887) @​renovate[bot]
• 9c4dbc3 chore(deps): update dependency verify.sourcegenerators to 2.4.2 (#​1833) @​renovate[bot]
• 704ee4c chore(deps): update dependency microsoft.codeanalysis.csharp.workspaces to 4.12.0-3.24463.9 (#​1838) @​renovate[bot]
• 2b8fca6 chore(deps): update dependency microsoft.codeanalysis.csharp.workspaces to 4.12.0-3.24466.4 (#​1845) @​ChrisPulman @​renovate[bot]
• fd0dd65 chore(deps): update dependency verify.xunit to 26.4.5 (#​1841) @​renovate[bot]
• b8bb6cf chore(deps): update dependency verify.sourcegenerators to 2.4.3 (#​1840) @​renovate[bot]
• ecb325d chore(deps): update dependency verify.xunit to 26.4.4 (#​1831) @​renovate[bot]
• 30f41ac chore(deps): update dependency refit to 7.2.1 (#​1844) @​renovate[bot]
• f02e004 chore(deps): update dotnet monorepo (#​1867) @​renovate[bot]
• 24e0444 chore(deps): update dependency serilog to 4.1.0 (#​1899) @​renovate[bot]
• 101afad chore(deps): update dependency verify.xunit to 26.5.0 (#​1851) @​renovate[bot]

Contributions

New contributors since the last release: @​mithileshz, @​ted-ccm, @​TeddyAssefa
Thanks to all the contributors: @​ChrisPulman, @​marcominerva, @​mithileshz, @​sguryev, @​ted-ccm, @​TeddyAssefa, @​TimothyMakkison

The following automated services have also contributed to this release: @​renovate[bot]

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[korbit-ai]

By default, I don't review pull requests opened by bots. If you would like me to review this pull request anyway, you can request a review via the /korbit-review command in a comment.

[github-actions]

Test Results

1 966 tests  ±0   1 960 ✅  - 6   15s ⏱️ -1s
    3 suites ±0       0 💤 ±0 
    3 files   ±0       6 ❌ +6 

For more details on these failures, see this check.

Results for commit c39df74. ± Comparison against base commit 422d002.

This pull request removes 220 and adds 220 tests. Note that renamed tests count towards both.

PinguApps.Appwrite.Server.Tests.Clients.Users.UsersClientTests ‑ CreateUserJwt_ShouldReturnSuccess_WhenApiCallSucceeds(request: CreateUserJwtRequest { Duration = 1800, SessionId = "671c28f1000e6e2c1c6f", UserId = "671c28f1000e6cb302c7", ValidationContext = None })
PinguApps.Appwrite.Server.Tests.Clients.Users.UsersClientTests ‑ CreateUserJwt_ShouldReturnSuccess_WhenApiCallSucceeds(request: CreateUserJwtRequest { Duration = null, SessionId = null, UserId = "671c28f1000e59e22978", ValidationContext = None })
PinguApps.Appwrite.Server.Tests.Clients.Users.UsersClientTests ‑ ListUserLogs_ShouldReturnSuccess_WhenApiCallSucceeds(request: ListUserLogsRequest { Queries = null, UserId = "671c28f1000e703d0538", ValidationContext = None })
PinguApps.Appwrite.Server.Tests.Clients.Users.UsersClientTests ‑ ListUserLogs_ShouldReturnSuccess_WhenApiCallSucceeds(request: ListUserLogsRequest { Queries = null, UserId = "671c28f1000e739785ca", ValidationContext = None })
PinguApps.Appwrite.Server.Tests.Clients.Users.UsersClientTests ‑ ListUserTargets_ShouldReturnSuccess_WhenApiCallSucceeds(request: ListUserTargetsRequest { Queries = null, UserId = "671c28f1000e794f8f60", ValidationContext = None })
PinguApps.Appwrite.Server.Tests.Clients.Users.UsersClientTests ‑ ListUserTargets_ShouldReturnSuccess_WhenApiCallSucceeds(request: ListUserTargetsRequest { Queries = null, UserId = "671c28f1000e7b7f9311", ValidationContext = None })
PinguApps.Appwrite.Server.Tests.Clients.Users.UsersClientTests ‑ UpdateUserLabels_ShouldReturnSuccess_WhenApiCallSucceeds(request: UpdateUserLabelsRequest { Labels = ["label1", "label2"], UserId = "671c28f1000e731be245", ValidationContext = None })
PinguApps.Appwrite.Server.Tests.Clients.Users.UsersClientTests ‑ UpdateUserLabels_ShouldReturnSuccess_WhenApiCallSucceeds(request: UpdateUserLabelsRequest { Labels = ["label3", "label4"], UserId = "671c28f1000e79d60f5b", ValidationContext = None })
PinguApps.Appwrite.Shared.Tests.Requests.Account.CreatePushTargetRequestTests ‑ IsValid_WithInvalidData_ReturnsFalse(request: CreatePushTargetRequest { Identifier = "", ProviderId = "provider123", TargetId = "671c28ec003916aebe09", ValidationContext = None })
PinguApps.Appwrite.Shared.Tests.Requests.Account.CreatePushTargetRequestTests ‑ IsValid_WithInvalidData_ReturnsFalse(request: CreatePushTargetRequest { Identifier = null, ProviderId = "provider123", TargetId = "671c28ec00391d105e85", ValidationContext = None })
…

PinguApps.Appwrite.Server.Tests.Clients.Users.UsersClientTests ‑ CreateUserJwt_ShouldReturnSuccess_WhenApiCallSucceeds(request: CreateUserJwtRequest { Duration = 1800, SessionId = "6729696800055f1aeb8d", UserId = "67296968000554fed1c7", ValidationContext = None })
PinguApps.Appwrite.Server.Tests.Clients.Users.UsersClientTests ‑ CreateUserJwt_ShouldReturnSuccess_WhenApiCallSucceeds(request: CreateUserJwtRequest { Duration = null, SessionId = null, UserId = "6729696800054b529b78", ValidationContext = None })
PinguApps.Appwrite.Server.Tests.Clients.Users.UsersClientTests ‑ ListUserLogs_ShouldReturnSuccess_WhenApiCallSucceeds(request: ListUserLogsRequest { Queries = null, UserId = "67296968000550b59129", ValidationContext = None })
PinguApps.Appwrite.Server.Tests.Clients.Users.UsersClientTests ‑ ListUserLogs_ShouldReturnSuccess_WhenApiCallSucceeds(request: ListUserLogsRequest { Queries = null, UserId = "672969680005585e84b0", ValidationContext = None })
PinguApps.Appwrite.Server.Tests.Clients.Users.UsersClientTests ‑ ListUserTargets_ShouldReturnSuccess_WhenApiCallSucceeds(request: ListUserTargetsRequest { Queries = null, UserId = "6729696800056adc1b9b", ValidationContext = None })
PinguApps.Appwrite.Server.Tests.Clients.Users.UsersClientTests ‑ ListUserTargets_ShouldReturnSuccess_WhenApiCallSucceeds(request: ListUserTargetsRequest { Queries = null, UserId = "6729696800056e70673e", ValidationContext = None })
PinguApps.Appwrite.Server.Tests.Clients.Users.UsersClientTests ‑ UpdateUserLabels_ShouldReturnSuccess_WhenApiCallSucceeds(request: UpdateUserLabelsRequest { Labels = ["label1", "label2"], UserId = "67296968000569a5781e", ValidationContext = None })
PinguApps.Appwrite.Server.Tests.Clients.Users.UsersClientTests ‑ UpdateUserLabels_ShouldReturnSuccess_WhenApiCallSucceeds(request: UpdateUserLabelsRequest { Labels = ["label3", "label4"], UserId = "6729696800056608f151", ValidationContext = None })
PinguApps.Appwrite.Shared.Tests.Requests.Account.CreatePushTargetRequestTests ‑ IsValid_WithInvalidData_ReturnsFalse(request: CreatePushTargetRequest { Identifier = "", ProviderId = "provider123", TargetId = "67296963002ff780a173", ValidationContext = None })
PinguApps.Appwrite.Shared.Tests.Requests.Account.CreatePushTargetRequestTests ‑ IsValid_WithInvalidData_ReturnsFalse(request: CreatePushTargetRequest { Identifier = null, ProviderId = "provider123", TargetId = "67296963002ff2f2579d", ValidationContext = None })
…