From 11e5adc9da430025b9a28527467b5fa5b4abb578 Mon Sep 17 00:00:00 2001 From: Daniel Garcia Moreno Date: Wed, 4 Jun 2025 12:19:31 +0200 Subject: [PATCH] test: Add new test to check netrc auth leak This patch adds a new test that reproduces the security issue reported here: https://seclists.org/oss-sec/2025/q2/204 Doing a request to a malicious url with a prefix like "domain.com:@" will use the "domain.com" netrc credentials in the request to other domain. --- tests/test_requests.py | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/tests/test_requests.py b/tests/test_requests.py index c1634eb725..75d2deff2e 100644 --- a/tests/test_requests.py +++ b/tests/test_requests.py @@ -7,6 +7,7 @@ import os import pickle import re +import tempfile import threading import warnings from unittest import mock @@ -704,6 +705,36 @@ def get_netrc_auth_mock(url): finally: requests.sessions.get_netrc_auth = old_auth + def test_basicauth_with_netrc_leak(self, httpbin): + url1 = httpbin("basic-auth", "user", "pass") + url = url1[len("http://") :] + domain = url.split(":")[0] + url = f"http://example.com:@{url}" + + netrc_file = "" + with tempfile.NamedTemporaryFile(mode="w", delete=False) as fp: + fp.write("machine example.com\n") + fp.write("login wronguser\n") + fp.write("password wrongpass\n") + fp.write(f"machine {domain}\n") + fp.write("login user\n") + fp.write("password pass\n") + fp.close() + netrc_file = fp.name + + old_netrc = os.environ.get("NETRC", "") + os.environ["NETRC"] = netrc_file + + try: + # Should use netrc + # Make sure that we don't use the example.com credentails + # for the request + r = requests.get(url) + assert r.status_code == 200 + finally: + os.environ["NETRC"] = old_netrc + os.unlink(netrc_file) + def test_DIGEST_HTTP_200_OK_GET(self, httpbin): for authtype in self.digest_auth_algo: auth = HTTPDigestAuth("user", "pass")