From 6e4468a2cf391f808193fdd79c9d2dee7298c2a8 Mon Sep 17 00:00:00 2001
From: ranjit-git <pahan.ranjit0201@gmail.com>
Date: Tue, 18 Jan 2022 10:17:46 +0530
Subject: [PATCH] Bug fix: thirdparty site cookie leak

bug report https://www.huntr.dev/bounties/42c79c23-6646-46c4-871d-219c0d4b4e31/
---
 index.js | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/index.js b/index.js
index 3759063..6d1e7ba 100644
--- a/index.js
+++ b/index.js
@@ -9,6 +9,9 @@ const once = require('once')
 const querystring = require('querystring')
 const url = require('url')
 
+var flag=false
+var original_host;
+
 const isStream = o => o !== null && typeof o === 'object' && typeof o.pipe === 'function'
 
 function simpleGet (opts, cb) {
@@ -34,6 +37,13 @@ function simpleGet (opts, cb) {
     opts.headers['content-type'] = 'application/x-www-form-urlencoded'
   }
 
+    //getting original host
+  if (!flag){
+   original_host=opts.hostname
+  //console.log(original_host)
+  flag=true
+  }
+  
   if (body) {
     if (!opts.method) opts.method = 'POST'
     if (!isStream(body)) opts.headers['content-length'] = Buffer.byteLength(body)
@@ -51,6 +61,13 @@ function simpleGet (opts, cb) {
       delete opts.headers.host // Discard `host` header on redirect (see #32)
       res.resume() // Discard response
 
+       var redirect_host=url.parse(opts.url).hostname //getting redirected hostname
+      //if redirected host is different than original host then drop cookie header to prevent cookie leak in thirdparty site redirect
+      if(redirect_host !== null && redirect_host !== original_host){
+         delete opts.headers.cookie;
+         delete opts.headers.authorization;
+        }
+      
       if (opts.method === 'POST' && [301, 302].includes(res.statusCode)) {
         opts.method = 'GET' // On 301/302 redirect, change POST to GET (see #35)
         delete opts.headers['content-length']; delete opts.headers['content-type']