Skip to content
This repository has been archived by the owner on May 3, 2022. It is now read-only.

Redirects should not pass authorization to different domain #27

Merged
merged 3 commits into from
Apr 23, 2020
Merged

Redirects should not pass authorization to different domain #27

merged 3 commits into from
Apr 23, 2020

Conversation

bryanmacfarlane
Copy link
Member

If a request is redirected to a different domain, the authorization header should be stripped.

bryanmacfarlane
bryanmacfarlane commented Apr 23, 2020
View reviewed changes
index.ts
@@ -386,6 +386,16 @@ export class HttpClient {
// which will leak the open socket.
await response.readBody()

// strip authorization header if redirected to a different hostname
Copy link
Member Author

@bryanmacfarlane bryanmacfarlane Apr 23, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note that I commented out these lines and confirmed tests failed. Then uncommented and both pass

bryanmacfarlane
bryanmacfarlane commented Apr 23, 2020
View reviewed changes
package.json
@@ -1,6 +1,6 @@
{
"name": "@actions/http-client",
"version": "1.0.7",
"version": "1.0.8",
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

only a patch bump to ensure as many folks as possible just get the fix. I will also post a security advisory

thboop
thboop approved these changes Apr 23, 2020
View reviewed changes
Copy link

@thboop thboop left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

Should we update releases.md?

@bryanmacfarlane bryanmacfarlane merged commit f6aae3d into master Apr 23, 2020
@bryanmacfarlane bryanmacfarlane mentioned this pull request Apr 24, 2020
Merged
@renovate renovate bot mentioned this pull request Apr 29, 2020
Merged
1 task
@dependabot dependabot bot mentioned this pull request Mar 16, 2021
Merged
@renovate renovate bot mentioned this pull request Mar 23, 2021
Merged
1 task
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@ericsciple ericsciple ericsciple approved these changes

@thboop thboop thboop approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@bryanmacfarlane @ericsciple @thboop