From d3aa574b1259c1d8d329a0f0f495ee82882b1458 Mon Sep 17 00:00:00 2001 From: Matteo Collina Date: Mon, 5 Feb 2024 09:35:32 +0100 Subject: [PATCH] Merge pull request from GHSA-3787-6prv-h9w3 Signed-off-by: Matteo Collina --- lib/fetch/index.js | 3 +++ test/fetch/redirect-cross-origin-header.js | 6 ++++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/lib/fetch/index.js b/lib/fetch/index.js index 17c3d87ea62..dea206965a9 100644 --- a/lib/fetch/index.js +++ b/lib/fetch/index.js @@ -1203,6 +1203,9 @@ function httpRedirectFetch (fetchParams, response) { // https://fetch.spec.whatwg.org/#cors-non-wildcard-request-header-name request.headersList.delete('authorization') + // https://fetch.spec.whatwg.org/#authentication-entries + request.headersList.delete('proxy-authorization', true) + // "Cookie" and "Host" are forbidden request-headers, which undici doesn't implement. request.headersList.delete('cookie') request.headersList.delete('host') diff --git a/test/fetch/redirect-cross-origin-header.js b/test/fetch/redirect-cross-origin-header.js index fca48c44ea0..8c3e674968b 100644 --- a/test/fetch/redirect-cross-origin-header.js +++ b/test/fetch/redirect-cross-origin-header.js @@ -6,11 +6,12 @@ const { once } = require('events') const { fetch } = require('../..') test('Cross-origin redirects clear forbidden headers', async (t) => { - t.plan(5) + t.plan(6) const server1 = createServer((req, res) => { t.equal(req.headers.cookie, undefined) t.equal(req.headers.authorization, undefined) + t.equal(req.headers['proxy-authorization'], undefined) res.end('redirected') }).listen(0) @@ -39,7 +40,8 @@ test('Cross-origin redirects clear forbidden headers', async (t) => { const res = await fetch(`http://localhost:${server2.address().port}`, { headers: { Authorization: 'test', - Cookie: 'ddd=dddd' + Cookie: 'ddd=dddd', + 'Proxy-Authorization': 'test' } })