chore(deps): update dependency refit to v7 [security]

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
refit	6.0.38 → 7.2.22

GitHub Vulnerability Alerts

CVE-2024-51501

Summary

The various header-related Refit attributes (Header, HeaderCollection and Authorize) are vulnerable to CRLF injection.

Details

The way HTTP headers are added to a request is via the HttpHeaders.TryAddWithoutValidation method: https://github.com/reactiveui/refit/blob/258a771f44417c6e48e103ac921fe4786f3c2a1e/Refit/RequestBuilderImplementation.cs#L1328
This method does not check for CRLF characters in the header value.

This means that any headers added to a refit request are vulnerable to CRLF-injection. In general, CRLF-injection into a HTTP header (when using HTTP/1.1) means that one can inject additional HTTP headers or smuggle whole HTTP requests.

PoC

The below example code creates a console app that takes one command line variable (a bearer token) and then makes a request to some status page with the provided token inserted in the "Authorization" header:

using Refit;

internal class Program
{
    private static void Main(string[] args)
    {
        // Usage: dotnet run <bearer token> 
        string token = args[0];
        var service = RestService.For<IStatusApi>("http://insert.some.site.here");
        string response = service.GetStatus(token).Result;
        Console.WriteLine($"Response: {response}");
    }

    public interface IStatusApi
    {
        [Get("/status")]
        Task<string> GetStatus([Authorize("Bearer")] string token);
    }
}

This application is now vulnerable to CRLF-injection, and can thus be abused to for example perform request splitting and thus server side request forgery (SSRF):

anonymous@ubuntu-sofia-672448:~$ dotnet Refit-cli.dll $'test\r\nUser-Agent: injected header!\r\n\r\nGET /smuggled HTTP/1.1\r\nHost: insert.some.site.here'
Response: <html></html>

The application intends to send a single request of the form:

GET /status HTTP/1.1
Host: insert.some.site.here
Authorization: Bearer <bearer token>

But as the application is vulnerable to CRLF injection the above command will instead result in the following two requests being sent:

GET /status HTTP/1.1
Host: insert.some.site.here
Authorization: Bearer test
User-Agent: injected header!

and

GET /smuggled HTTP/1.1
Host: insert.some.site.here

This can be confirmed by checking the access logs on the server where these commands were run (with insert.some.site.here pointing to localhost):

anonymous@ubuntu-sofia-672448:~$ sudo tail /var/log/apache2/access.log
127.0.0.1 - - [29/Aug/2024:12:17:34 +0000] "GET /status HTTP/1.1" 200 240 "-" "injected header!"
127.0.0.1 - - [29/Aug/2024:12:17:34 +0000] "GET /smuggled HTTP/1.1" 404 436 "-" "-"

Impact

If an application using the Refit library passes a user-controllable value through to a header, then that application becomes vulnerable to CRLF-injection. This is not necessarily a security issue for a command line application like the one above, but if such code were present in a web application then it becomes vulnerable to request splitting (as shown in the PoC) and thus Server Side Request Forgery.

Strictly speaking this is a potential vulnerability in applications using Refit, not in Refit itself, but I would argue that at the very least there needs to be a warning about this behaviour in the Refit documentation.

---

Release Notes

reactiveui/refit (refit)

v7.2.22

Compare Source

Fixes:

• Fix to 7.2.22 16a5754 @​glennawatson
• Fix version 4185be3 @​glennawatson
• Fix for CRLF injection vulnerability (#​1834) 155153e @​ChrisPulman
• chore: update nuget package versions 155153e @​glennawatson

v7.2.1

Compare Source

What's Changed

• chore(deps): update dependency microsoft.codeanalysis.csharp.workspaces to 4.12.0-3.24456.2 by @​renovate in #​1810
• chore: rename tests add derived interface test by @​TimothyMakkison in #​1816
• Remove Dependency System.Net.Http.Json from Net 6+ by @​ChrisPulman in #​1818
• feat: revert 29e0e1c by @​TimothyMakkison in #​1819
• Housekeeping Update Version by @​ChrisPulman in #​1821

Full Changelog: reactiveui/refit@7.2.0...7.2.1

v7.2.0

Compare Source

What's Changed

• feat: fix form url encoded strings #​1593 by @​TimothyMakkison in #​1752
• chore(deps): update dependency refit to v7.1.1 by @​renovate in #​1754
• feat: extract logic and small cleanups by @​TimothyMakkison in #​1755
• chore(deps): update dependency system.text.json to v8.0.4 [security] by @​renovate in #​1757
• chore(deps): update xunit-dotnet monorepo by @​renovate in #​1760
• chore(deps): update dependency refit to v7.1.2 by @​renovate in #​1758
• feat: added generator tests by @​TimothyMakkison in #​1765
• chore(deps): update dependency coverlet.collector to v6.0.2 by @​renovate in #​1766
• chore(deps): update xunit-dotnet monorepo by @​renovate in #​1771
• chore(deps): update dependency verify.xunit to v22.11.5 by @​renovate in #​1770
• chore(deps): update dependency microsoft.codeanalysis.csharp.sourcegenerators.testing to v1.1.2 by @​renovate in #​1767
• chore(deps): update dependency verify.diffplex to v3 by @​renovate in #​1772
• chore(deps): update dependency microsoft.net.test.sdk to v17.10.0 by @​renovate in #​1769
• chore(deps): update dependency serilog to v4.0.1 by @​renovate in #​1778
• chore(deps): update dependency verify.sourcegenerators to v2.3.0 by @​renovate in #​1780
• Add MemberNotNullWhen annotation for Content / HasContent pair by @​hansmbakker in #​1779
• chore(deps): update dependency benchmarkdotnet to v0.14.0 by @​renovate in #​1784
• Extend url parameters default formatting by @​MikeAmputer in #​1781
• chore(deps): update dependency nerdbank.gitversioning to v3.6.141 by @​renovate in #​1785
• chore(deps): update dependency microsoft.net.test.sdk to 17.11.0 by @​renovate in #​1797
• Update README.md JSON Source Generator by @​Digifais in #​1793
• feat: added source generator benchmarks by @​TimothyMakkison in #​1798
• feat: added interface snapshot InterfaceTests by @​TimothyMakkison in #​1802
• chore: ignore repeat files and add test by @​TimothyMakkison in #​1804
• chore(deps): update dependency nerdbank.gitversioning to 3.6.143 by @​renovate in #​1805
• chore(deps): update dotnet monorepo by @​renovate in #​1788
• chore(deps): update dependency verify.sourcegenerators to 2.4.0 by @​renovate in #​1806
• chore(deps): update dependency verify.xunit to 26.3.0 by @​renovate in #​1808
• chore(deps): update dependency verify.xunit to 26.3.1 by @​renovate in #​1811
• chore(deps): update dependency verify.xunit to 26.4.0 by @​renovate in #​1813
• Add Version and HttpVersionPolicy support for HttpRequestMessage by @​infofromca in #​1800
• chore(deps): update dependency microsoft.net.test.sdk to 17.11.1 by @​renovate in #​1814

New Contributors

• @​hansmbakker made their first contribution in #​1779
• @​MikeAmputer made their first contribution in #​1781
• @​Digifais made their first contribution in #​1793
• @​infofromca made their first contribution in #​1800

Full Changelog: reactiveui/refit@7.1.2...7.2.0

v7.1.2

Compare Source

Features:

• b320e4e feat: optimize CachedRequestBuilder (#​1716) @​TimothyMakkison
• 03d7bbc feat: use TryGetSingle instead of collection enumerable to lists. (#​1738) @​TimothyMakkison
• 151b1d9 feat: fix existing query values bug (#​1737) @​TimothyMakkison
• 12640cb feat: refactors, cache attributes, use helper methods (#​1739) @​TimothyMakkison
• f5b1690 feat: remove propertiesToAdd (#​1741) @​TimothyMakkison
• ea1cc52 feat: optimize RestMethodInfo, reduce dictionary allocations and linq iterations (#​1742) @​TimothyMakkison
• 1c731b8 feat: defer header dictionary creation (#​1745) @​TimothyMakkison

Fixes:

• 9605c24 Fix for Common Parameter Name used in Generated code (#​1735) @​ChrisPulman

Housekeeping:

• a61030a Housekeeping: Add API tests (#​1749) @​ChrisPulman
• 5f82841 Housekeeping Update version for release (#​1751) @​ChrisPulman

Other:

• 107d716 chore(deps): update dependency microsoft.codeanalysis.csharp.sourcegenerators.testing to v1.1.2-beta1.24314.1 (#​1736) @​renovate[bot]
• 44314ba chore: extract methods (#​1740) @​TimothyMakkison
• 56375c4 Revert #​1705 (#​1750) @​ChrisPulman
• 4e8c347 chore(deps): update dependency microsoft.codeanalysis.csharp.sourcegenerators.testing to v1.1.2 (#​1747) @​renovate[bot]

v7.1.1

Compare Source

Features:

• 8a40692 feat: add startup and performance benchmarks (#​1731) @​TimothyMakkison
• 2bf78ca feat: use ValueStringBuilder adding the query parameters (#​1719) @​TimothyMakkison

Other:

• 9435295 Revert sealed Attributes (#​1734) @​ChrisPulman

v7.1.0

Compare Source

Dependencies:

• ee31199 Bump BenchmarkDotNet from 0.13.5 to 0.13.6 (#​1539) @​dependabot[bot]
• 1d4191a Bump xunit from 2.4.2 to 2.5.0 (#​1534) @​dependabot[bot]
• 507f758 Bump xunit.runner.visualstudio from 2.4.5 to 2.5.0 (#​1533) @​dependabot[bot]
• 5d08210 Bump Microsoft.NET.Test.Sdk from 17.6.2 to 17.7.0 (#​1550) @​dependabot[bot]
• 3b4ac94 Bump BenchmarkDotNet from 0.13.6 to 0.13.7 (#​1551) @​dependabot[bot]
• bbe1b06 Bump Microsoft.VisualStudio.Threading.Analyzers from 17.6.40 to 17.7.30 (#​1554) @​dependabot[bot]
• 5a6698c Bump Microsoft.NET.Test.Sdk from 17.7.0 to 17.7.2 (#​1560) @​dependabot[bot]
• b2f1b31 Bump BenchmarkDotNet from 0.13.7 to 0.13.8 (#​1563) @​dependabot[bot]
• df6b7a9 build(deps): bump xunit.runner.visualstudio from 2.5.0 to 2.5.1 (#​1567) @​dependabot[bot]
• dc07cfb build(deps): bump Microsoft.CodeAnalysis.CSharp.SourceGenerators.Testing.XUnit (#​1572) @​dependabot[bot]
• 00a2638 build(deps): bump xunit.runner.visualstudio from 2.5.1 to 2.5.3 (#​1579) @​dependabot[bot]
• 6d6aa27 build(deps): bump BenchmarkDotNet from 0.13.8 to 0.13.10 (#​1589) @​dependabot[bot]
• cb65f42 build(deps): Bump Microsoft.NET.Test.Sdk from 17.7.2 to 17.8.0 (#​1595) @​dependabot[bot]
• af399f0 build(deps): bump Microsoft.CodeAnalysis.CSharp.SourceGenerators.Testing.XUnit (#​1580) @​dependabot[bot]
• 992c9b4 build(deps): bump xunit from 2.5.0 to 2.6.2 (#​1614) @​dependabot[bot]
• fba26ee build(deps): bump Microsoft.SourceLink.GitHub from 1.1.1 to 8.0.0 (#​1611) @​dependabot[bot]
• a79471d build(deps): bump System.Text.Json from 7.0.3 to 8.0.0 (#​1613) @​dependabot[bot]
• caee891 build(deps): bump xunit.runner.visualstudio from 2.5.3 to 2.5.4 (#​1609) @​dependabot[bot]
• cd37b46 build(deps): bump dessant/lock-threads from 4 to 5 (#​1608) @​dependabot[bot]
• 676a663 build(deps): bump System.Net.Http.Json from 7.0.1 to 8.0.0 (#​1612) @​dependabot[bot]
• d51fdee build(deps): bump Microsoft.Extensions.Http from 7.0.0 to 8.0.0 (#​1615) @​dependabot[bot]
• c8aba6f build(deps): bump Microsoft.VisualStudio.Threading.Analyzers (#​1610) @​dependabot[bot]
• bca7448 Bump Microsoft.CodeAnalysis.CSharp.Workspaces from 4.6.0 to 4.7.0 (#​1559) @​dependabot[bot]
• ca2ee9a build(deps): bump AutoFixture from 4.18.0 to 4.18.1 (#​1629) @​dependabot[bot]
• 8e516e8 build(deps): bump xunit from 2.6.2 to 2.6.3 (#​1632) @​dependabot[bot]
• 1dc6a62 build(deps): bump xunit.runner.visualstudio from 2.5.4 to 2.5.5 (#​1631) @​dependabot[bot]
• 45ff0cc build(deps): bump xunit from 2.6.3 to 2.6.4 (#​1635) @​dependabot[bot]
• e5bc249 build(deps): bump xunit.runner.visualstudio from 2.5.5 to 2.5.6 (#​1634) @​dependabot[bot]
• 867efbd build(deps): bump xunit from 2.6.4 to 2.6.5 (#​1637) @​dependabot[bot]
• 6ebeda5 build(deps): bump xunit from 2.6.5 to 2.6.6 (#​1643) @​dependabot[bot]
• 5c12ad5 build(deps): bump Microsoft.NET.Test.Sdk from 17.8.0 to 17.9.0 (#​1653) @​dependabot[bot]
• c9395ac build(deps): bump Microsoft.VisualStudio.Threading.Analyzers (#​1652) @​dependabot[bot]

Features:

• 66edaaa feat: generate code that uses Array.Empty where possible (#​1599) @​TimothyMakkison
• 4055e7a feat: use private static fields to store constant typeParameters where possible (#​1606) @​TimothyMakkison
• b7c22ca feat: add leading underscores to typeParameter name (#​1641) @​TimothyMakkison
• d5caa02 feature: Remove UTF8 bom marking @​glennawatson
• d09db72 Feature Add DotNet 8 support (#​1701) @​ChrisPulman
• 1b45219 feat: custom query key formatters (#​1570) @​tcortega
• 51ef445 feat: refactor, invert ifs, use optimal methods (#​1713) @​TimothyMakkison
• dcb9da2 feat: run csharpier (#​1715) @​TimothyMakkison

Fixes:

• b59977f fix: Document InnerHandler null requirement for DI (#​1569) @​bbrandt
• e726d19 fix: Refactor code formatting for better readability (#​1564) @​msadeqsirjani

Housekeeping:

• 2dff048 housekeeping: run csharpier (#​1617) @​TimothyMakkison
• 3cbe67a housekeeping: invert ifs, use TryGetValue, remove unneeded ToArray (#​1619) @​TimothyMakkison
• aa78fc0 Housekeeping Update tests to remove need for comments (#​1697) @​ChrisPulman
• b75734a housekeeping: Update Version For Release (#​1712) @​ChrisPulman

Other:

• 6a16c08 Rethrow for Better Stack Trace (#​1532) @​dahlbyk
• bb88e19 bump @​anaisbetts
• cb9a5b7 chore: remove unused using statements (#​1618) @​TimothyMakkison
• 52151a2 chore: remove generated whitespace (#​1624) @​TimothyMakkison
• 83cf3f8 chore: minor refactor (#​1625) @​TimothyMakkison
• 663df6b Delete .github/dependabot.yml @​glennawatson
• 2a41254 Create renovate.json @​glennawatson
• 5071674 chore(deps): update dependency benchmarkdotnet to v0.13.12 (#​1657) @​renovate[bot]
• 56e65b4 chore(deps): update dependency system.text.json to v8.0.1 (#​1659) @​renovate[bot]
• 3ba4fd4 chore(deps): update dependency serilog to v2.12.0 (#​1663) @​renovate[bot]
• 63f0e30 chore(deps): update dependency refit to v6.3.2 (#​1662) @​renovate[bot]
• e0d3913 chore(deps): update dependency refit to v7 (#​1665) @​renovate[bot]
• 9f98c0b chore(deps): update dependency serilog to v3 (#​1668) @​renovate[bot]
• d6d164c chore(deps): update dependency serilog.sinks.console to v5 (#​1669) @​renovate[bot]
• f6c9e93 chore(deps): update dependency system.text.json to v8.0.2 (#​1673) @​renovate[bot]
• ee61cb0 chore(deps): update dependency coverlet.msbuild to v6.0.1 (#​1676) @​renovate[bot]
• 002280e chore(deps): update xunit-dotnet monorepo (#​1674) @​renovate[bot]
• 024a451 chore(deps): update dependency system.text.json to v8.0.3 (#​1677) @​renovate[bot]
• d651c61 chore(deps): update dependency coverlet.msbuild to v6.0.2 (#​1678) @​renovate[bot]
• f2fdf45 chore(deps): update xunit-dotnet monorepo to v2.8.0 (#​1683) @​renovate[bot]
• 76ed19c #​1684 Tweak Dependencies (#​1693) @​thompson-tomo
• 8ed4b56 chore(deps): update dependency microsoft.visualstudio.threading.analyzers to v17.10.48 (#​1700) @​renovate[bot]
• c0499cf Issue 1671: Add MemberNotNullWhen attribute for Content property in IApiResponse (#​1672) @​sguryev
• 56b82ac Update Net 8 Support to use Netx.x instead of Nestandard2.1 (#​1703) @​ChrisPulman
• 650f2ef chore(deps): update dependency microsoft.codeanalysis.csharp.sourcegenerators.testing to v1.1.2-beta1.24273.1 (#​1708) @​renovate[bot]
• 088b020 chore(deps): update dependency system.reactive to v6.0.1 (#​1706) @​renovate[bot]
• b40dfaf chore(deps): update dependency microsoft.net.test.sdk to v17.10.0 (#​1707) @​renovate[bot]
• d85edef Load content to buffer before attempting deserialization (#​1705) @​LichP
• 1a20c27 chore(deps): update xunit-dotnet monorepo to v2.8.1 (#​1709) @​renovate[bot]
• 49cc592 Update ApiResponse to correct previous adjustment (#​1711) @​ChrisPulman
• b944483 .NET7.0+ AOT supported (#​1710) @​xljiulang
• 9c2caf3 Ensure two interfaces with the same name do not cause compile errors (#​1542) @​dtewinkel
• 678c140 chore(deps): update dependency serilog to v4 (#​1714) @​renovate[bot]
• 8b0ba96 chore(deps): update dependency nerdbank.gitversioning to v3.6.139 (#​1718) @​renovate[bot]
• 77ca7c8 chore(deps): update dependency serilog.sinks.console to v6 (#​1723) @​renovate[bot]

v7.0.0

Compare Source

Dependencies:

• 0a03d4a Bump Nerdbank.GitVersioning from 3.5.119 to 3.6.132 (#​1507) @​dependabot[bot]
• 65f395a Bump Microsoft.CodeAnalysis.CSharp.SourceGenerators.Testing.XUnit (#​1506) @​dependabot[bot]
• a16b0fd Bump Microsoft.NET.Test.Sdk from 17.5.0 to 17.6.0 (#​1508) @​dependabot[bot]
• ec73fed Bump Microsoft.VisualStudio.Threading.Analyzers from 17.5.22 to 17.6.40 (#​1511) @​dependabot[bot]
• cd1b108 Bump Microsoft.CodeAnalysis.CSharp.Workspaces from 4.0.1 to 4.6.0 (#​1510) @​dependabot[bot]
• 34b8133 Bump coverlet.msbuild from 3.2.0 to 6.0.0 (#​1512) @​dependabot[bot]
• 0e118d0 Bump System.Reactive from 5.0.0 to 6.0.0 (#​1509) @​dependabot[bot]
• 57919c4 Bump Nerdbank.GitVersioning from 3.6.132 to 3.6.133 (#​1516) @​dependabot[bot]
• dd1eebf Bump Microsoft.NET.Test.Sdk from 17.6.0 to 17.6.2 (#​1520) @​dependabot[bot]
• a50c8ae Bump System.Text.Json from 7.0.2 to 7.0.3 (#​1523) @​dependabot[bot]

Other:

• 4744780 Ship 7.0.0 @​anaisbetts

v6.5.1

Compare Source

Features:

• c0af5c2 feature: Make the RestMethodInfo available in the request options (#​1317) @​0xced

Fixes:

• ed61774 Fix Added MemberNotNullWhen in IApiResponse (#​1483) @​AlbertoMonteiro
• c8888e1 Fix condition of method return type in RequestBuilder to only allow Task<> and IObservable<> (#​1364) @​barchkile

Housekeeping:

• 857becc housekeeping: Update readme to show GitHub actions status @​glennawatson

Other:

• fec2cf3 Update version.json @​glennawatson

v6.4.1

Dependencies:

• 63b9654 Bump Newtonsoft.Json from 13.0.1 to 13.0.3 (#​1480) @​dependabot[bot]

Features:

• b78bbc7 feature: Add named httpclient support (#​1418) @​redbaty
• c97fcb6 feature: Add RestMethodInfo in HttpRequestMessage (Options or Properties) (#​1352) @​Int32Overflow
• 77f084f feature: Add an authorization header value getter property that supports cancellation (#​1413) @​0xced
• b06ef7c Feature: allow developers to inject the MethodInfo as a Property (#​1367) @​james-s-tayler

Fixes:

• 153f520 Fix typo in README.md (#​1428) @​owns
• aef6cbb Fixed a bug in the readme (#​1366) @​james-s-tayler
• 3c87611 Fix cache in RestService for generated type (#​1348) @​Int32Overflow
• 25c4840 fix: Update readme with details on supply a custom HttpClient instance (#​1362) @​chowarth

Housekeeping:

• 1fd2b3f housekeeping: Convert to using GitHub actions @​glennawatson
• 977246a housekeeping: Remove the need to install maui workflows @​glennawatson
• eb61d39 housekeeping: remove duplicated tags @​glennawatson
• da483b9 housekeeping: update directory.build.props file @​glennawatson
• e571bc6 housekeeping: Remove invalid tag from release @​glennawatson
• 500f4a2 housekeeping: Remove invalid tag from release @​glennawatson
• e83f7e2 housekeeping: Remove old targets from tests @​glennawatson
• 098c4e3 housekeeping: Update Targets, Fix build, Update relevant packages (#​1488) @​ChrisPulman

Other:

• 5fe5ce5 Update dependabot.yml @​glennawatson
• 00dde43 Sample using local api (#​785) @​NakWarsi
• 469bfce add tests setting Authorization headers via HeaderCollection (#​1385) @​james-s-tayler
• b608846 Add benchmark dotnet and comprehensive set of end to end benchmarks (#​1175) @​james-s-tayler
• 5589ab9 Use Error property when throwing exception (#​1448) @​marcominerva
• b5ce1db Use the root directory for builds @​glennawatson
• c1516a8 Add HttpRequestMessageOptions to RefitSettings and add this dictionary to HttpRequestMessage.(Options/Properties) (#​1353) @​Int32Overflow

v6.3.2

Changes:

Enhancements:

• #​1310: Split XmlContentSerializer into separate package

Dependencies:

• #​1306: Bump coverlet.collector from 3.1.0 to 3.1.2

Others:

• #​1307: Fix missing syntax highlighting
• #​1303: Add MemberNotNullWhen attribute to IsSuccessStatusCode

This list of changes was auto generated.

v6.2.16

Changes:

Bugs:

• #​1290: Refit interface methods that return Task assign ApiException to the IApiResponse.Error property on error

Dependencies:

• #​1285: Bump Nerdbank.GitVersioning from 3.4.231 to 3.4.255
• #​1271: Bump Microsoft.VisualStudio.Threading.Analyzers from 16.10.56 to 17.0.64
• #​1260: Bump Microsoft.NET.Test.Sdk from 16.10.0 to 17.0.0
• #​1276: Bump Microsoft.SourceLink.GitHub from 1.0.0 to 1.1.1

Others:

• #​1298: remove readme from package
• #​1297: Update dependencies

See More

• [#​1296](https://redirect.github.com/reactiveui/refit/

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.