chore(deps): update dependency restsharp to v112 [security]

[marvin-serp-bot]

This PR contains the following updates:

Package	Type	Update	Change
RestSharp (source)	nuget	major	110.2.0 -> 112.0.0

GitHub Vulnerability Alerts

CVE-2024-45302

Summary

The second argument to RestRequest.AddHeader (the header value) is vulnerable to CRLF injection. The same applies to RestRequest.AddOrUpdateHeader and RestClient.AddDefaultHeader.

Details

The way HTTP headers are added to a request is via the HttpHeaders.TryAddWithoutValidation method: https://github.com/restsharp/RestSharp/blob/777bf194ec2d14271e7807cc704e73ec18fcaf7e/src/RestSharp/Request/HttpRequestMessageExtensions.cs#L32 This method does not check for CRLF characters in the header value.

This means that any headers from a RestSharp.RequestHeaders object are added to the request in such a way that they are vulnerable to CRLF-injection. In general, CRLF-injection into a HTTP header (when using HTTP/1.1) means that one can inject additional HTTP headers or smuggle whole HTTP requests.

PoC

The below example code creates a console app that takes one command line variable "api key" and then makes a request to some status page with the provided key inserted in the "Authorization" header:

using RestSharp;

class Program
{
    static async Task Main(string[] args)
    {
        // Usage: dotnet run <api key>
        var key = args[0];
        var options = new RestClientOptions("http://insert.some.site.here");
        var client = new RestClient(options);
        var request = new RestRequest("/status", Method.Get).AddHeader("Authorization", key);
        var response = await client.ExecuteAsync(request);
        Console.WriteLine($"Status: {response.StatusCode}");
        Console.WriteLine($"Response: {response.Content}");
    }
}

This application is now vulnerable to CRLF-injection, and can thus be abused to for example perform request splitting and thus server side request forgery (SSRF):

anonymous@ubuntu-sofia-672448:~$ dotnet RestSharp-cli.dll $'test\r\nUser-Agent: injected header!\r\n\r\nGET /smuggled HTTP/1.1\r\nHost: insert.some.site.here'
Status: OK
Response: <html></html>

The application intends to send a single request of the form:

GET /status HTTP/1.1
Host: insert.some.site.here
Authorization: <api key>
User-Agent: RestSharp/111.4.1.0
Accept: application/json, text/json, text/x-json, text/javascript, application/xml, text/xml
Accept-Encoding: gzip, deflate, br

But as the application is vulnerable to CRLF injection the above command will instead result in the following two requests being sent:

GET /status HTTP/1.1
Host: insert.some.site.here
Authorization: test
User-Agent: injected header!

and

GET /smuggled HTTP/1.1
Host: insert.some.site.here
User-Agent: RestSharp/111.4.1.0
Accept: application/json, text/json, text/x-json, text/javascript, application/xml, text/xml
Accept-Encoding: gzip, deflate, br

This can be confirmed by checking the access logs on the server where these commands were run (with insert.some.site.here pointing to localhost):

anonymous@ubuntu-sofia-672448:~$ sudo tail /var/log/apache2/access.log
127.0.0.1 - - [29/Aug/2024:11:41:11 +0000] "GET /status HTTP/1.1" 200 240 "-" "injected header!"
127.0.0.1 - - [29/Aug/2024:11:41:11 +0000] "GET /smuggled HTTP/1.1" 404 436 "-" "RestSharp/111.4.1.0"

Impact

If an application using the RestSharp library passes a user-controllable value through to a header, then that application becomes vulnerable to CRLF-injection. This is not necessarily a security issue for a command line application like the one above, but if such code were present in a web application then it becomes vulnerable to request splitting (as shown in the PoC) and thus Server Side Request Forgery.

Strictly speaking this is a potential vulnerability in applications using RestSharp, not in RestSharp itself, but I would argue that at the very least there needs to be a warning about this behaviour in the RestSharp documentation.

---

Release Notes

restsharp/RestSharp (RestSharp)

v112.0.0

Compare Source

What's Changed

• Don't allow CRLF in headers by @​alexeyzimarev in https://github.com/restsharp/RestSharp/pull/2258

New Contributors

• @​MrFrawsty made their first contribution in https://github.com/restsharp/RestSharp/pull/2251
• @​snechaev made their first contribution in https://github.com/restsharp/RestSharp/pull/2256

Full Changelog: restsharp/RestSharp@111.4.1...112.0.0

v111.4.1

Compare Source

What's Changed

• Allow setting parameter content type by @​alexeyzimarev in https://github.com/restsharp/RestSharp/pull/2249
• Added extensions for getting content header values by @​jizc in https://github.com/restsharp/RestSharp/pull/2247

New Contributors

• @​minhtaile2712 made their first contribution in https://github.com/restsharp/RestSharp/pull/2243
• @​jizc made their first contribution in https://github.com/restsharp/RestSharp/pull/2247

Full Changelog: restsharp/RestSharp@111.4.0...111.4.1

v111.4.0

Compare Source

What's Changed

• Doc versions and response section by @​alexeyzimarev in https://github.com/restsharp/RestSharp/pull/2232
• Re-instate old methods, but as obsolete by @​matt-richardson in https://github.com/restsharp/RestSharp/pull/2228
• Header value null check by @​alexeyzimarev in https://github.com/restsharp/RestSharp/pull/2241

New Contributors

• @​matt-richardson made their first contribution in https://github.com/restsharp/RestSharp/pull/2228

Full Changelog: restsharp/RestSharp@111.3.0...111.4.0

v111.3.0

Compare Source

What's Changed

• Fix spelling in docs sidebar by @​Strepto in https://github.com/restsharp/RestSharp/pull/2218
• Use code generator for cloning responses by @​alexeyzimarev in https://github.com/restsharp/RestSharp/pull/2223
• Extensions for client and response by @​alexeyzimarev in https://github.com/restsharp/RestSharp/pull/2221

New Contributors

• @​Strepto made their first contribution in https://github.com/restsharp/RestSharp/pull/2218

Full Changelog: restsharp/RestSharp@111.2.0...111.3.0

v111.2.0

Compare Source

What's Changed

• Fix null reference exception when disposing response content by @​alexeyzimarev in https://github.com/restsharp/RestSharp/pull/2201
• Add Version to RestRequest by @​alexeyzimarev in https://github.com/restsharp/RestSharp/pull/2209
• Reverted authenticators rename
• Returned back Execute(request) without method

Full Changelog: restsharp/RestSharp@111.1.0...111.2.0

v111.1.0

Compare Source

v111.0.0

Compare Source

What's Changed

• Support file uploading without multipart/form-data by @​RomanSoloweow in https://github.com/restsharp/RestSharp/pull/2068
• Use builtin methods to ConcurrentDictionary by @​sensslen in https://github.com/restsharp/RestSharp/pull/2073
• Added remaining overloads (PATCH, HEAD, OPTIONS, DELETE) by @​alexeyzimarev in https://github.com/restsharp/RestSharp/pull/2050
• Use encoded filename for FileNameStar (#​2117) by @​alexeyzimarev in https://github.com/restsharp/RestSharp/pull/2123
• Added Option to add Interceptors on client level by @​fseidl-bauradar in https://github.com/restsharp/RestSharp/pull/2118
• Use case insensitive comparer by @​softworkz in https://github.com/restsharp/RestSharp/pull/2146
• Adjust serializer selection fallback procedure by @​softworkz in https://github.com/restsharp/RestSharp/pull/2147
• Set UserAgent as a default header parameter by @​PetesBreenCoding in https://github.com/restsharp/RestSharp/pull/2157
• Fixes OAuth1 signature with special characters (#​2126, #​1945) by @​elia936 in https://github.com/restsharp/RestSharp/pull/2127
• Set Version to generic RestResponse by @​biasso in https://github.com/restsharp/RestSharp/pull/2199
• Timeout as TimeSpan, Support custom request timeout by @​RomanSoloweow in https://github.com/restsharp/RestSharp/pull/2078

New Contributors

• @​RomanSoloweow made their first contribution in https://github.com/restsharp/RestSharp/pull/2068
• @​mikebundy made their first contribution in https://github.com/restsharp/RestSharp/pull/2097
• @​Kurzyn made their first contribution in https://github.com/restsharp/RestSharp/pull/2116
• @​fseidl-bauradar made their first contribution in https://github.com/restsharp/RestSharp/pull/2118
• @​mavaddat made their first contribution in https://github.com/restsharp/RestSharp/pull/2151
• @​softworkz made their first contribution in https://github.com/restsharp/RestSharp/pull/2146
• @​PetesBreenCoding made their first contribution in https://github.com/restsharp/RestSharp/pull/2157
• @​elia936 made their first contribution in https://github.com/restsharp/RestSharp/pull/2127
• @​thompson-tomo made their first contribution in https://github.com/restsharp/RestSharp/pull/2180
• @​biasso made their first contribution in https://github.com/restsharp/RestSharp/pull/2199

Full Changelog: restsharp/RestSharp@110.2.0...111.0.0

---

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/London, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[github-actions]

✒️ PR Title Commitlint - ✔️ Lint success!