Skip to content
This repository was archived by the owner on May 3, 2022. It is now read-only.

Redirects should not pass authorization to different domain #27

Merged
merged 3 commits into from
Apr 23, 2020
Merged

Redirects should not pass authorization to different domain #27

merged 3 commits into from
Apr 23, 2020

Conversation

bryanmacfarlane
Copy link
Member

If a request is redirected to a different domain, the authorization header should be stripped.

bryanmacfarlane
bryanmacfarlane commented Apr 23, 2020
View reviewed changes
index.ts
@@ -386,6 +386,16 @@ export class HttpClient {
// which will leak the open socket.
await response.readBody()

// strip authorization header if redirected to a different hostname
Copy link
Member Author

@bryanmacfarlane bryanmacfarlane Apr 23, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note that I commented out these lines and confirmed tests failed. Then uncommented and both pass

bryanmacfarlane
bryanmacfarlane commented Apr 23, 2020
View reviewed changes
package.json
@@ -1,6 +1,6 @@
{
"name": "@actions/http-client",
"version": "1.0.7",
"version": "1.0.8",
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

only a patch bump to ensure as many folks as possible just get the fix. I will also post a security advisory

thboop
thboop approved these changes Apr 23, 2020
View reviewed changes
Copy link

@thboop thboop left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

Should we update releases.md?

@bryanmacfarlane bryanmacfarlane merged commit f6aae3d into master Apr 23, 2020
@bryanmacfarlane bryanmacfarlane mentioned this pull request Apr 24, 2020
Merged
@renovate renovate bot mentioned this pull request Apr 29, 2020
Merged
1 task
@dependabot dependabot bot mentioned this pull request Mar 16, 2021
Merged
@renovate renovate bot mentioned this pull request Mar 23, 2021
Merged
1 task
# for free to subscribe to this conversation on GitHub. Already have an account? #.
Reviewers

@ericsciple ericsciple ericsciple approved these changes

@thboop thboop thboop approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@bryanmacfarlane @ericsciple @thboop