Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Avoid creating bad URLs when a mitm request has the wrong scheme #528

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

Avoid creating bad URLs when a mitm request has the wrong scheme #528

wants to merge 1 commit into from
+5 −1

Conversation

mctofu
Copy link

@mctofu mctofu commented Mar 7, 2024
edited
Loading

If a mitm request came in like http://host/path this was getting mangled to https://hosthttp://host/path. Instead, we should just swap the scheme to https if the scheme is already defined in the url.

@mctofu
Avoid creating bad URLs when a mitm request has the wrong scheme
92a5f16 
If a mitm request came in like http://host/path this was getting mangled
to https://hosthttp://host/path. Instead, we should just swap the scheme
to https if the scheme is already defined in the url.
@elazarl
Copy link
Owner

elazarl commented Mar 10, 2024

Can you describe the bug that this fixes?

@mctofu
Copy link
Author

mctofu commented Mar 11, 2024

We're still investigating this & working on a test but have been observing that the npm cli is not always working with the proxy in mitm mode.

When running npm install [email protected] on a fresh project we've seen these requests to the proxy:

CONNECT registry.npmjs.org:443 HTTP/1.1
GET http://registry.npmjs.org:443/npm HTTP/1.1

This proxy then detects the url does not match the https regex and transforms it to https://registry.npmjs.org:443http://registry.npmjs.org:443/npm. This eventually fails dns resolution later on and closes the connection without returning an error.

Other requests from the npm cli use https instead of http so this doesn't seem to be consistent and we haven't looked to see what the cause is yet.

I'm not sure what the right behavior is in this case. I've observed that mitmproxy v8.1.1 seems to be allowing this by converting the url to https.

@elazarl
Copy link
Owner

elazarl commented Mar 11, 2024

but it shouldn't use GET http://... should it? If it really uses goproxy as a standard HTTP proxy

@mctofu
Copy link
Author

mctofu commented Mar 12, 2024

but it shouldn't use GET http://... should it? If it really uses goproxy as a standard HTTP proxy

It does seem strange but I'm not positive it's not allowed. I found this request does work successfully when I configure npm to use a squid proxy without mitm handling so registry.npmjs.org is not rejecting the request.

@jeffwidman
Copy link

@mctofu any suggestions on next steps here?

@mctofu
Copy link
Author

mctofu commented Apr 12, 2024

@jeffwidman I think we need to add a test case for this before undrafting.

We could also followup with the npm team on this behavior. I have a vague memory of running into this before.

@juanibiapina juanibiapina mentioned this pull request Sep 20, 2024
Closed
1 task
@ErikPelli
Copy link
Collaborator

This issue states that in npm 10.8.3 the problem has been resolved: dependabot/dependabot-core#10623

Can you confirm that now it works and, if so, close this pull request? If it was an NPM problem, we don't need to change anything

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mctofu @elazarl @jeffwidman @ErikPelli