You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A custom authorization header, if present, is passed on redirect. This can leak auth tokens, and in many cases requests with unexpected authorization headers will be rejected.
Actual behavior
If a custom authorization header is added to options, and the request is redirected (302), the authorization header will be passed to the redirect location.
In my case, my app was using got to fetch a tarball from npm.pkg.github.com which redirected to pkg.githubusercontent.com, which rejected the request (400).
Describe the bug
A custom authorization header, if present, is passed on redirect. This can leak auth tokens, and in many cases requests with unexpected authorization headers will be rejected.
Actual behavior
If a custom authorization header is added to options, and the request is redirected (302), the authorization header will be passed to the redirect location.
In my case, my app was using got to fetch a tarball from npm.pkg.github.com which redirected to pkg.githubusercontent.com, which rejected the request (400).
Expected behavior
curl does not forward custom authorization: https://curl.haxx.se/docs/CVE-2018-1000007.html
It is convenient that got follows redirects by default, but it should not forward authorization headers by default.
Workaround
Add a
beforeRedirect
hook to remove the authorization header.Example: https://github.com/joebowbeer/regsync/blob/master/src/util.ts#L54
Checklist
The text was updated successfully, but these errors were encountered: