Update dependency Refit to 7.2.22 [SECURITY] #2033
Triggered via pull request
November 8, 2024 15:48
renovate[bot]
edited
#897
Status
Success
Total duration
22s
Artifacts
–
release-drafter.yml
on: pull_request_target
update_release_draft
12s
Annotations
2 errors
update_release_draft
Resource not accessible by integration
{
name: 'HttpError',
id: '11745227339',
status: 403,
response: {
url: 'https://api.github.com/repos/RehanSaeed/Serilog.Exceptions/issues/897/labels',
status: 403,
headers: {
'access-control-allow-origin': '*',
'access-control-expose-headers': 'ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset',
connection: 'close',
'content-encoding': 'gzip',
'content-security-policy': "default-src 'none'",
'content-type': 'application/json; charset=utf-8',
date: 'Fri, 08 Nov 2024 15:48:22 GMT',
'referrer-policy': 'origin-when-cross-origin, strict-origin-when-cross-origin',
server: 'github.com',
'strict-transport-security': 'max-age=31536000; includeSubdomains; preload',
'transfer-encoding': 'chunked',
vary: 'Accept-Encoding, Accept, X-Requested-With',
'x-accepted-github-permissions': 'issues=write; pull_requests=write',
'x-content-type-options': 'nosniff',
'x-frame-options': 'deny',
'x-github-api-version-selected': '2022-11-28',
'x-github-media-type': 'github.v3; format=json',
'x-github-request-id': 'D085:25D53C:1025FF8:1FAF463:672E32C6',
'x-ratelimit-limit': '5000',
'x-ratelimit-remaining': '4995',
'x-ratelimit-reset': '1731084502',
'x-ratelimit-resource': 'core',
'x-ratelimit-used': '5',
'x-xss-protection': '0'
},
data: {
message: 'Resource not accessible by integration',
documentation_url: 'https://docs.github.com/rest/issues/labels#add-labels-to-an-issue',
status: '403'
}
},
request: {
method: 'POST',
url: 'https://api.github.com/repos/RehanSaeed/Serilog.Exceptions/issues/897/labels',
headers: {
accept: 'application/vnd.github.v3+json',
'user-agent': 'probot/12.2.5 octokit-core.js/3.5.1 Node.js/20.13.1 (linux; x64)',
authorization: 'token [REDACTED]',
'content-type': 'application/json; charset=utf-8'
},
body: '{"labels":["enhancement"]}',
request: {}
},
event: {
id: '11745227339',
name: 'pull_request_target',
payload: {
action: 'edited',
changes: {
body: {
from: 'This PR contains the following updates:\n' +
'\n' +
'| Package | Change | Age | Adoption | Passing | Confidence |\n' +
'|---|---|---|---|---|---|\n' +
'| [Refit](https://redirect.github.com/reactiveui/refit) | `7.2.1` -> `8.0.0` | [![age](https://developer.mend.io/api/mc/badges/age/nuget/Refit/8.0.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/nuget/Refit/8.0.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/nuget/Refit/7.2.1/8.0.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/nuget/Refit/7.2.1/8.0.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) |\n' +
'\n' +
'### GitHub Vulnerability Alerts\n' +
'\n' +
'#### [CVE-2024-51501](https://redirect.github.com/reactiveui/refit/security/advisories/GHSA-3hxg-fxwm-8gf7)\n' +
'\n' +
'### Summary\n' +
'The various header-related Refit attributes (Header, HeaderCollection and Authorize) are vulnerable to CRLF injection.\n' +
'\n' +
'### Details\n' +
'The way HTTP headers are added to a request is via the `HttpHeaders.TryAddWithoutValidation` method: <https://github.com/reactiveui/refit/blob/258a771f44417c6e48e103ac921fe4786f3c2a1e/Refit/RequestBuilderImplementation.cs#L1328>\n' +
'This method does not check for CRLF characters in the header value.\n' +
|
update_release_draft
HttpError: Resource not accessible by integration
at /home/runner/work/_actions/release-drafter/release-drafter/v6.0.0/dist/index.js:8462:21
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async Job.doExecute (/home/runner/work/_actions/release-drafter/release-drafter/v6.0.0/dist/index.js:30793:18)
{
name: 'AggregateError',
event: {
id: '11745227339',
name: 'pull_request_target',
payload: {
action: 'edited',
changes: {
body: {
from: 'This PR contains the following updates:\n' +
'\n' +
'| Package | Change | Age | Adoption | Passing | Confidence |\n' +
'|---|---|---|---|---|---|\n' +
'| [Refit](https://redirect.github.com/reactiveui/refit) | `7.2.1` -> `8.0.0` | [![age](https://developer.mend.io/api/mc/badges/age/nuget/Refit/8.0.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/nuget/Refit/8.0.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/nuget/Refit/7.2.1/8.0.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/nuget/Refit/7.2.1/8.0.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) |\n' +
'\n' +
'### GitHub Vulnerability Alerts\n' +
'\n' +
'#### [CVE-2024-51501](https://redirect.github.com/reactiveui/refit/security/advisories/GHSA-3hxg-fxwm-8gf7)\n' +
'\n' +
'### Summary\n' +
'The various header-related Refit attributes (Header, HeaderCollection and Authorize) are vulnerable to CRLF injection.\n' +
'\n' +
'### Details\n' +
'The way HTTP headers are added to a request is via the `HttpHeaders.TryAddWithoutValidation` method: <https://github.com/reactiveui/refit/blob/258a771f44417c6e48e103ac921fe4786f3c2a1e/Refit/RequestBuilderImplementation.cs#L1328>\n' +
'This method does not check for CRLF characters in the header value.\n' +
'\n' +
'This means that any headers added to a refit request are vulnerable to CRLF-injection. In general, CRLF-injection into a HTTP header (when using HTTP/1.1) means that one can inject additional HTTP headers or smuggle whole HTTP requests.\n' +
'\n' +
'### PoC\n' +
'The below example code creates a console app that takes one command line variable (a bearer token) and then makes a request to some status page with the provided token inserted in the "Authorization" header:\n' +
'\n' +
'```c#\n' +
'using Refit;\n' +
'\n' +
'internal class Program\n' +
'{\n' +
' private static void Main(string[] args)\n' +
' {\n' +
' // Usage: dotnet run <bearer token> \n' +
' string token = args[0];\n' +
' var service = RestService.For<IStatusApi>("http://insert.some.site.here");\n' +
' string response = service.GetStatus(token).Result;\n' +
' Console.WriteLine($"Response: {response}");\n' +
' }\n' +
'\n' +
' public interface IStatusApi\n' +
' {\n' +
' [Get("/status")]\n' +
' Task<string> GetStatus([Authorize("Bearer")] string token);\n' +
' }\n' +
'}\n' +
'```\n' +
'\n' +
'This application is now vulnerable to CRLF-injection, and can thus be abused to for example perform request splitting and thus server side request forgery (SSRF):\n' +
'\n' +
'```bash\n' +
"anonymous@ubuntu-sofia-672448:~$ dotnet Refit-cli.dll $'test\\r\\nUser-Agent: injected header!\\r\\n\\r\\nGET /smuggled HTTP/1.1\\r\\nHost: insert.some.site.here'\n" +
'Response: <htm
|