Skip to content
This repository has been archived by the owner on May 3, 2022. It is now read-only.

Redirects should not pass authorization to different domain #27

Merged
merged 3 commits into from
Apr 23, 2020

Conversation

bryanmacfarlane
Copy link
Member

If a request is redirected to a different domain, the authorization header should be stripped.

@@ -386,6 +386,16 @@ export class HttpClient {
// which will leak the open socket.
await response.readBody()

// strip authorization header if redirected to a different hostname
Copy link
Member Author

@bryanmacfarlane bryanmacfarlane Apr 23, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note that I commented out these lines and confirmed tests failed. Then uncommented and both pass

@@ -1,6 +1,6 @@
{
"name": "@actions/http-client",
"version": "1.0.7",
"version": "1.0.8",
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

only a patch bump to ensure as many folks as possible just get the fix. I will also post a security advisory

Copy link

@thboop thboop left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

Should we update releases.md?

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants