Skip to content
This repository has been archived by the owner on May 3, 2022. It is now read-only.

Redirects should not pass authorization to different domain #27

Merged
merged 3 commits into from
Apr 23, 2020
Merged

Redirects should not pass authorization to different domain #27

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
fbd1377
fix and tests
bryanmacfarlane Apr 23, 2020
943067f
it's pretty now and bump version
bryanmacfarlane Apr 23, 2020
cde0b32
cr feedback
bryanmacfarlane Apr 23, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 44 additions & 0 deletions __tests__/basics.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -179,6 +179,50 @@ describe('basics', () => {
done()
})

it('does not pass auth with diff hostname redirects', async done => {
let headers = {
accept: 'application/json',
authorization: 'shhh'
}
let res: httpm.HttpClientResponse = await _http.get(
'https://httpbin.org/redirect-to?url=' +
encodeURIComponent('https://www.httpbin.org/get'),
headers
)

expect(res.message.statusCode).toBe(200)
let body: string = await res.readBody()
let obj: any = JSON.parse(body)
// httpbin "fixes" the casing
expect(obj.headers['Authorization']).toBeUndefined()
expect(obj.headers['authorization']).toBeUndefined()
expect(obj.url).toBe('https://www.httpbin.org/get')

done()
})

it('does not pass Auth with diff hostname redirects', async done => {
let headers = {
Accept: 'application/json',
Authorization: 'shhh'
}
let res: httpm.HttpClientResponse = await _http.get(
'https://httpbin.org/redirect-to?url=' +
encodeURIComponent('https://www.httpbin.org/get'),
headers
)

expect(res.message.statusCode).toBe(200)
let body: string = await res.readBody()
let obj: any = JSON.parse(body)
// httpbin "fixes" the casing
expect(obj.headers['Authorization']).toBeUndefined()
expect(obj.headers['authorization']).toBeUndefined()
expect(obj.url).toBe('https://www.httpbin.org/get')

done()
})

it('does basic head request', async done => {
let res: httpm.HttpClientResponse = await _http.head(
'http://httpbin.org/get'
Expand Down
10 changes: 10 additions & 0 deletions index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -386,6 +386,16 @@ export class HttpClient {
// which will leak the open socket.
await response.readBody()

// strip authorization header if redirected to a different hostname
Copy link
Member Author

@bryanmacfarlane bryanmacfarlane Apr 23, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note that I commented out these lines and confirmed tests failed. Then uncommented and both pass

if (parsedRedirectUrl.hostname !== parsedUrl.hostname) {
for (let header in headers) {
// header names are case insensitive
if (header.toLowerCase() === 'authorization') {
delete headers[header]
}
}
}

// let's make the request with the new redirectUrl
info = this._prepareRequest(verb, parsedRedirectUrl, headers)
response = await this.requestRaw(info, data)
Expand Down
2 changes: 1 addition & 1 deletion package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "@actions/http-client",
"version": "1.0.7",
"version": "1.0.8",
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

only a patch bump to ensure as many folks as possible just get the fix. I will also post a security advisory

"description": "Actions Http Client",
"main": "index.js",
"scripts": {
Expand Down