Skip to content

fix(security): 2 improvements across 1 files#680

Merged
Pangjiping merged 1 commit intoalibaba:mainfrom
tomaioo:contribai/fix/security/authorization-token-may-leak-on-cross-ho
Apr 10, 2026
Merged

fix(security): 2 improvements across 1 files#680
Pangjiping merged 1 commit intoalibaba:mainfrom
tomaioo:contribai/fix/security/authorization-token-may-leak-on-cross-ho

Conversation

@tomaioo
Copy link
Copy Markdown
Contributor

@tomaioo tomaioo commented Apr 10, 2026
edited
Loading

Summary

fix(security): 2 improvements across 1 files

Problem

Severity: High | File: components/execd/pkg/jupyter/transport.go:L24

The custom AuthTransport unconditionally injects the Jupyter token into every outgoing request in RoundTrip. If the HTTP client follows redirects, and a redirect points to a different host, this transport can re-attach the token to redirected requests, potentially exposing credentials to unintended domains.

Solution

Bind token injection to an allowlisted host/scheme (e.g., compare req.URL.Host to the expected Jupyter endpoint before setting Authorization), and/or disable redirects for this client (CheckRedirect) unless explicitly safe.

Changes

  • components/execd/pkg/jupyter/transport.go (modified)

Testing

  • Existing tests pass
  • Manual review completed
  • No new warnings/errors introduced

@tomaioo
fix(security): 2 improvements across 1 files
e7e02d3 
- Security: Authorization token may leak on cross-host redirects
- Security: Nil RoundTripper can trigger panic and service disruption

Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com>
@Pangjiping Pangjiping self-assigned this Apr 10, 2026
@Pangjiping Pangjiping added bug Something isn't working component/execd labels Apr 10, 2026
Pangjiping
Pangjiping approved these changes Apr 10, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@Pangjiping Pangjiping left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@Pangjiping Pangjiping merged commit 3b2c2f3 into alibaba:main Apr 10, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Pangjiping Pangjiping Pangjiping approved these changes

@hittyt hittyt Awaiting requested review from hittyt hittyt is a code owner

@ninan-nn ninan-nn Awaiting requested review from ninan-nn ninan-nn is a code owner

Assignees

@Pangjiping Pangjiping

Labels

bug Something isn't working component/execd

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tomaioo @Pangjiping