Skip to content

Protect self-update redirects from HTTP downgrade#712

Merged
ryanfowler merged 1 commit into
mainfrom
fix-insecure-update-redirects
Jun 4, 2026
Merged

Protect self-update redirects from HTTP downgrade#712
ryanfowler merged 1 commit into
mainfrom
fix-insecure-update-redirects

Conversation

@ryanfowler

Copy link
Copy Markdown
Owner

Summary

  • Add a central self-update URL validator that requires HTTPS for release metadata, artifacts, checksums, and redirect targets.
  • Allow HTTP only for explicit internal update overrides used by local fixtures.
  • Add unit coverage for HTTPS-to-HTTP redirect rejection, initial HTTP rejection, and the internal HTTP fixture path.

Testing

  • cargo fmt
  • cargo clippy --locked --all-targets --all-features -- -D warnings
  • cargo test --all-features update::tests::update
  • cargo test --all-features --test update -- --test-threads=1
  • cargo test --all-features -- --test-threads=1

@ryanfowler ryanfowler enabled auto-merge June 4, 2026 13:28
@ryanfowler ryanfowler merged commit b4c6f37 into main Jun 4, 2026
4 checks passed
@ryanfowler ryanfowler deleted the fix-insecure-update-redirects branch June 4, 2026 13:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant