Origin Validation Error Affecting scrapy package, versions [,1.8.4) [2.0.0,2.11.1)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-SCRAPY-6249482
- published 16 Feb 2024
- disclosed 15 Feb 2024
- credit ranjit-git
How to fix?
Upgrade Scrapy to version 1.8.4, 2.11.1 or higher.
Overview
Scrapy is a high-level web crawling and web scraping framework, used to crawl websites and extract structured data from their pages.
Affected versions of this package are vulnerable to Origin Validation Error due to the improper handling of the Authorization header during cross-domain redirects. An attacker can leak sensitive information by inducing the server to redirect a request with the Authorization header to a different domain.
Workarounds
1)Make sure that the Authentication header, either directly or through some third-party plugin is not used.
2)If that header is needed in some requests, add dont_redirect: True to the request.meta dictionary of those requests to disable following redirects for them.
3)If same domain redirect support is needed on those requests, make sure you trust the target website not to redirect your requests to a different domain.