fix(node): strip credentials on cross-origin 307/308 redirects#1848
Open
greymoth-jp wants to merge 1 commit into
Open
fix(node): strip credentials on cross-origin 307/308 redirects#1848greymoth-jp wants to merge 1 commit into
greymoth-jp wants to merge 1 commit into
Conversation
`_redirect` runs `cleanHeader(headers, changesOrigin)` for 301, 302 and 303 responses, which drops `Authorization` and `Cookie` when the redirect crosses an origin. The 307 and 308 branches keep the method and body, so they skip `cleanHeader` and re-sent both headers to the new host, leaking credentials to a third-party origin. Strip `Authorization` and `Cookie` after the status-specific handling whenever the target origin differs, so every redirect code behaves the same way. This is a no-op for 301/302/303, which already remove them.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Request.prototype._redirectdropsAuthorizationandCookiewhen a redirect crosses an origin, but only for 301, 302 and 303. Those branches callutils.cleanHeader(headers, changesOrigin), which removes the two credential headers whenchangesOriginis true.307 and 308 preserve the method and body, so they skip
cleanHeader. As a side effect they also skip the credential stripping, and the originalAuthorization/Cookieheaders are re-sent to the redirect target. A server can answer with a 307/308 that points at a different origin and read the caller's credentials.Fix
Strip
AuthorizationandCookieafter the status-specific handling whenever the target origin differs, so every redirect code behaves the same way. It is a no-op for 301/302/303, which already remove them throughcleanHeader.Test
test/node/redirects-other-host.jsalready exercises cross-host 301/302/303/307/308 redirects. The second origin now reflects theAuthorizationandCookieit receives, and a new block sends both headers, follows a cross-host redirect for each status code, and asserts the other host never sees them. Without the change the 307 and 308 cases fail (the headers arrive at the other host); with it all five pass.