Disappearing header issue

Rickard_Abraham · November 25, 2023, 5:14pm

Took me a while to figure out this bug

Use the CustomHeaderToken authentication
Set connectionRequirement to None
Try to set the header manually
Header is gone from request

Working minimal example: (Pack 26831 if you can access that)

import * as coda from "@codahq/packs-sdk";
export const pack = coda.newPack();

pack.addNetworkDomain("google.com");

pack.setUserAuthentication({
  type: coda.AuthenticationType.CustomHeaderToken,
  headerName: "Authorization",  // <----------------------------------------------------------
});

pack.addFormula({
  connectionRequirement: coda.ConnectionRequirement.None,  // <-------------------------------
  name: "X",
  description: "check the request",
  parameters: [],
  resultType: coda.ValueType.String,
  execute: async function ([], context) {
    let response = await context.fetcher.fetch({
      headers: {
        "Authorization": "this value will be removed",  // <----------------------------------
        "Content-Type": "application/json",
      },
      method: "GET",
      url: "https://google.com",
    });
    return response.body;
  },
});

Eric_Koleda · December 1, 2023, 12:47am

Hi @Rickard_Abraham - This is actually “working as intended”, although I’m realizing now we haven’t documented it anywhere. When you set an authentication type we prevent you from feeding other values into that same location. This is to help prevent cases where the Pack accesses user data and then sends it to an account they control with hard-coded credentials.

Rickard_Abraham · December 1, 2023, 4:31pm

Oh okay, thanks for your response! I’m afraid I don’t follow the logic though. Why would a malicious actor even bother with setting up the auth if they have hard coded headers

If they want the user to think they’ve authed they could just set the headerName to a random word

But I understand it’s better to be safe than sorry when it comes to attack vectors. Documentation or even an additional check in your pack validator would’ve been great to catch this early

Eric_Koleda · December 4, 2023, 9:25pm

Something we’ve worked hard to prevent in the Packs platform is “data exfiltration”. In other words, where the Pack reads user data and stashes it away somewhere the attacker can access later. This is why for instance we only allow one network domain, so you can’t retrieve data from the user’s account and then send a copy to your private server.

However with some APIs it in theory could be possible to retrieve information from the user’s account using their credentials, and then save a copy of it to attacker’s account in the same domain using their credentials.

The behavior your witnessed is in place to help prevent that case. Once you declare a method of transmitting user credentials, we don’t let you manually set that same method (header, query param, etc) to some hard-coded value.

Rickard_Abraham · December 4, 2023, 11:00pm

Oh okay I think it clicked for me now, thanks! That sounds like a tricky thing to deal with and it seems like the right choice to prevent changing the header

Topic		Replies	Views
Help me figure out what am I missing with HeaderBearerToken configuration Making Packs	3	470	January 16, 2023
Auth in Packs with API Key Developers Central	3	500	May 7, 2022
Custom authentication Making Packs	9	840	October 8, 2022
Add headers to Oauth Authentication? Making Packs	3	466	January 7, 2024
Pack credentials not being passed to API Making Packs	8	501	May 15, 2024

Disappearing header issue

Related topics