Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS05eDhtLTJ4cGYtY3JwM84AAtvM
Scrapy before 2.6.2 and 1.8.3 vulnerable to one proxy sending credentials to another
Impact
When the built-in HTTP proxy downloader middleware processes a request with proxy metadata, and that proxy metadata includes proxy credentials, the built-in HTTP proxy downloader middleware sets the Proxy-Authentication header, but only if that header is not already set.
There are third-party proxy-rotation downloader middlewares that set different proxy metadata every time they process a request.
Because of request retries and redirects, the same request can be processed by downloader middlewares more than once, including both the built-in HTTP proxy downloader middleware and any third-party proxy-rotation downloader middleware.
These third-party proxy-rotation downloader middlewares could change the proxy metadata of a request to a new value, but fail to remove the Proxy-Authentication header from the previous value of the proxy metadata, causing the credentials of one proxy to be leaked to a different proxy.
If you rotate proxies from different proxy providers, and any of those proxies requires credentials, you are affected, unless you are handling proxy rotation as described under Workarounds below. If you use a third-party downloader middleware for proxy rotation, the same applies to that downloader middleware, and installing a patched version of Scrapy may not be enough; patching that downloader middlware may be necessary as well.
Patches
Upgrade to Scrapy 2.6.2.
If you are using Scrapy 1.8 or a lower version, and upgrading to Scrapy 2.6.2 is not an option, you may upgrade to Scrapy 1.8.3 instead.
Workarounds
If you cannot upgrade, make sure that any code that changes the value of the proxy request meta also removes the Proxy-Authorization header from the request if present.
For more information
If you have any questions or comments about this advisory:
Permalink: https://github.com/advisories/GHSA-9x8m-2xpf-crp3JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05eDhtLTJ4cGYtY3JwM84AAtvM
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: 6 months ago
Identifiers: GHSA-9x8m-2xpf-crp3
References:
- https://github.com/scrapy/scrapy/security/advisories/GHSA-9x8m-2xpf-crp3
- https://github.com/scrapy/scrapy/commit/af7dd16d8ded3e6cb2946603688f4f4a5212e80f
- https://github.com/advisories/GHSA-9x8m-2xpf-crp3
Blast Radius: 0.0
Affected Packages
pypi:scrapy
Dependent packages: 111Dependent repositories: 2,753
Downloads: 1,374,241 last month
Affected Version Ranges: >= 2.0.0, < 2.6.2, < 1.8.3
Fixed in: 2.6.2, 1.8.3
All affected versions: 0.14.1, 0.14.2, 0.14.3, 0.14.4, 0.16.0, 0.16.1, 0.16.2, 0.16.3, 0.16.4, 0.16.5, 0.18.0, 0.18.1, 0.18.2, 0.18.3, 0.18.4, 0.20.0, 0.20.1, 0.20.2, 0.22.0, 0.22.1, 0.22.2, 0.24.0, 0.24.1, 0.24.2, 0.24.3, 0.24.4, 0.24.5, 0.24.6, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.4.0, 1.5.0, 1.5.1, 1.5.2, 1.6.0, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.8.0, 1.8.1, 1.8.2, 2.0.0, 2.0.1, 2.1.0, 2.2.0, 2.2.1, 2.3.0, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1
All unaffected versions: 1.8.3, 1.8.4, 2.6.2, 2.6.3, 2.7.0, 2.7.1, 2.8.0, 2.9.0, 2.10.0, 2.10.1, 2.11.0, 2.11.1