Skip to content

Update dependency Refit to 7.2.22 [SECURITY] #2033

Update dependency Refit to 7.2.22 [SECURITY]

Update dependency Refit to 7.2.22 [SECURITY] #2033

Triggered via pull request November 8, 2024 15:48
Status Success
Total duration 22s
Artifacts

release-drafter.yml

on: pull_request_target
update_release_draft
12s
update_release_draft
Fit to window
Zoom out
Zoom in

Annotations

2 errors
update_release_draft
Resource not accessible by integration { name: 'HttpError', id: '11745227339', status: 403, response: { url: 'https://api.github.com/repos/RehanSaeed/Serilog.Exceptions/issues/897/labels', status: 403, headers: { 'access-control-allow-origin': '*', 'access-control-expose-headers': 'ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset', connection: 'close', 'content-encoding': 'gzip', 'content-security-policy': "default-src 'none'", 'content-type': 'application/json; charset=utf-8', date: 'Fri, 08 Nov 2024 15:48:22 GMT', 'referrer-policy': 'origin-when-cross-origin, strict-origin-when-cross-origin', server: 'github.com', 'strict-transport-security': 'max-age=31536000; includeSubdomains; preload', 'transfer-encoding': 'chunked', vary: 'Accept-Encoding, Accept, X-Requested-With', 'x-accepted-github-permissions': 'issues=write; pull_requests=write', 'x-content-type-options': 'nosniff', 'x-frame-options': 'deny', 'x-github-api-version-selected': '2022-11-28', 'x-github-media-type': 'github.v3; format=json', 'x-github-request-id': 'D085:25D53C:1025FF8:1FAF463:672E32C6', 'x-ratelimit-limit': '5000', 'x-ratelimit-remaining': '4995', 'x-ratelimit-reset': '1731084502', 'x-ratelimit-resource': 'core', 'x-ratelimit-used': '5', 'x-xss-protection': '0' }, data: { message: 'Resource not accessible by integration', documentation_url: 'https://docs.github.com/rest/issues/labels#add-labels-to-an-issue', status: '403' } }, request: { method: 'POST', url: 'https://api.github.com/repos/RehanSaeed/Serilog.Exceptions/issues/897/labels', headers: { accept: 'application/vnd.github.v3+json', 'user-agent': 'probot/12.2.5 octokit-core.js/3.5.1 Node.js/20.13.1 (linux; x64)', authorization: 'token [REDACTED]', 'content-type': 'application/json; charset=utf-8' }, body: '{"labels":["enhancement"]}', request: {} }, event: { id: '11745227339', name: 'pull_request_target', payload: { action: 'edited', changes: { body: { from: 'This PR contains the following updates:\n' + '\n' + '| Package | Change | Age | Adoption | Passing | Confidence |\n' + '|---|---|---|---|---|---|\n' + '| [Refit](https://redirect.github.com/reactiveui/refit) | `7.2.1` -> `8.0.0` | [![age](https://developer.mend.io/api/mc/badges/age/nuget/Refit/8.0.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/nuget/Refit/8.0.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/nuget/Refit/7.2.1/8.0.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/nuget/Refit/7.2.1/8.0.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) |\n' + '\n' + '### GitHub Vulnerability Alerts\n' + '\n' + '#### [CVE-2024-51501](https://redirect.github.com/reactiveui/refit/security/advisories/GHSA-3hxg-fxwm-8gf7)\n' + '\n' + '### Summary\n' + 'The various header-related Refit attributes (Header, HeaderCollection and Authorize) are vulnerable to CRLF injection.\n' + '\n' + '### Details\n' + 'The way HTTP headers are added to a request is via the `HttpHeaders.TryAddWithoutValidation` method: <https://github.com/reactiveui/refit/blob/258a771f44417c6e48e103ac921fe4786f3c2a1e/Refit/RequestBuilderImplementation.cs#L1328>\n' + 'This method does not check for CRLF characters in the header value.\n' +
update_release_draft
HttpError: Resource not accessible by integration at /home/runner/work/_actions/release-drafter/release-drafter/v6.0.0/dist/index.js:8462:21 at process.processTicksAndRejections (node:internal/process/task_queues:95:5) at async Job.doExecute (/home/runner/work/_actions/release-drafter/release-drafter/v6.0.0/dist/index.js:30793:18) { name: 'AggregateError', event: { id: '11745227339', name: 'pull_request_target', payload: { action: 'edited', changes: { body: { from: 'This PR contains the following updates:\n' + '\n' + '| Package | Change | Age | Adoption | Passing | Confidence |\n' + '|---|---|---|---|---|---|\n' + '| [Refit](https://redirect.github.com/reactiveui/refit) | `7.2.1` -> `8.0.0` | [![age](https://developer.mend.io/api/mc/badges/age/nuget/Refit/8.0.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/nuget/Refit/8.0.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/nuget/Refit/7.2.1/8.0.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/nuget/Refit/7.2.1/8.0.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) |\n' + '\n' + '### GitHub Vulnerability Alerts\n' + '\n' + '#### [CVE-2024-51501](https://redirect.github.com/reactiveui/refit/security/advisories/GHSA-3hxg-fxwm-8gf7)\n' + '\n' + '### Summary\n' + 'The various header-related Refit attributes (Header, HeaderCollection and Authorize) are vulnerable to CRLF injection.\n' + '\n' + '### Details\n' + 'The way HTTP headers are added to a request is via the `HttpHeaders.TryAddWithoutValidation` method: <https://github.com/reactiveui/refit/blob/258a771f44417c6e48e103ac921fe4786f3c2a1e/Refit/RequestBuilderImplementation.cs#L1328>\n' + 'This method does not check for CRLF characters in the header value.\n' + '\n' + 'This means that any headers added to a refit request are vulnerable to CRLF-injection. In general, CRLF-injection into a HTTP header (when using HTTP/1.1) means that one can inject additional HTTP headers or smuggle whole HTTP requests.\n' + '\n' + '### PoC\n' + 'The below example code creates a console app that takes one command line variable (a bearer token) and then makes a request to some status page with the provided token inserted in the "Authorization" header:\n' + '\n' + '```c#\n' + 'using Refit;\n' + '\n' + 'internal class Program\n' + '{\n' + ' private static void Main(string[] args)\n' + ' {\n' + ' // Usage: dotnet run <bearer token> \n' + ' string token = args[0];\n' + ' var service = RestService.For<IStatusApi>("http://insert.some.site.here");\n' + ' string response = service.GetStatus(token).Result;\n' + ' Console.WriteLine($"Response: {response}");\n' + ' }\n' + '\n' + ' public interface IStatusApi\n' + ' {\n' + ' [Get("/status")]\n' + ' Task<string> GetStatus([Authorize("Bearer")] string token);\n' + ' }\n' + '}\n' + '```\n' + '\n' + 'This application is now vulnerable to CRLF-injection, and can thus be abused to for example perform request splitting and thus server side request forgery (SSRF):\n' + '\n' + '```bash\n' + "anonymous@ubuntu-sofia-672448:~$ dotnet Refit-cli.dll $'test\\r\\nUser-Agent: injected header!\\r\\n\\r\\nGET /smuggled HTTP/1.1\\r\\nHost: insert.some.site.here'\n" + 'Response: <htm