-
-
Notifications
You must be signed in to change notification settings - Fork 12
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix-cache-control #189
base: main
Are you sure you want to change the base?
Fix-cache-control #189
Conversation
Add cache-control header to the OAuthSecurityScheme GetHeaders() function based on the presence of a valid value. If a valid value is present, set the cache-control header to "private, max-age=0". Otherwise, set it to "public, max-age=3600".
Thanks for contributing @Similadayo. I'm not sure which type check error this PR is addressing. Could you maybe share an example of the error you encountered during the scan? Regarding the changes in your PR, I see you've added Cache-Control request headers. It's true that APIs should not allow |
Thanks for getting back to me @emmanuelgautier My PR tackles the same issue about |
The goal of the scan is not necessarily to ensure that requests made during the scan aren't cached, but rather to check if there are any shared cache directives (like public Cache-Control) in the response, which could expose sensitive data. I think, you should add a new scan for this specific case. You can refer to one of the existing scans in this repository: https://github.com/cerberauth/vulnapi/tree/main/scan. I'd be happy to assist. One approach for the scan would involve making a request with an authentication method in place and then inspecting the response headers. If the response is successful (e.g., 2xx status code), and it includes public cache control directives, the test would fail as this could expose protected data. Do not hesitate to suggest another approach if you think there’s a better way to perform this scan. |
Thanks for the clarification. I will go through the scan directory to understand better and won't hesistate to reach out incase I need understanding. |
This pull request fixes a problem with the GetHeaders method in the OAuth and JWT Bearer security schemes. It wasn't handling cases where attack and valid values were nil, which could cause errors. I changed the code to fix this, making sure headers are generated more reliably for requests.
Changes:
Fixed errors with type checks in GetHeaders.
Improved how attack and valid values are handled in headers.
I look forward to your feedback on these updates!