fix: do not forward credential headers on cross-origin redirect#813
Conversation
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces security enhancements to prevent credential leakage by stripping sensitive headers (such as Authorization, Cookie, and Proxy-Authorization) and clearing authentication options during cross-origin redirects, while preserving them for same-origin redirects. Feedback on these changes highlights two critical issues in the fallback parser of isCrossOriginRedirect: first, comparing unnormalized hosts can cause same-origin redirects with explicit default ports to be incorrectly treated as cross-origin; second, the parser fails open by returning false on errors, which could leak credentials. It is recommended to normalize the ports and fail closed by returning true in the catch block.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
When following a redirect to a different origin, urllib reused the caller's options verbatim, re-sending Authorization, Cookie, and Proxy-Authorization (and re-applying the Basic auth from `auth`) to the new origin. Strip these in handleRedirect when the redirect crosses the origin boundary. Same-origin redirects are unchanged.
fengmk2
force-pushed
the
fix/cross-origin-redirect-credential-leak-2.x
branch
from
550c293 to
1e81b92
Compare
|
Thanks, both points addressed in the fallback parser (the
The primary path uses |
|
@codex review |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 1e81b9225c
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
|
||
| // Credential-bearing headers that must not be forwarded across an origin | ||
| // boundary when following a redirect, to avoid leaking them to a third party. | ||
| var CROSS_ORIGIN_SENSITIVE_HEADERS = [ 'authorization', 'cookie', 'proxy-authorization' ]; |
There was a problem hiding this comment.
For proxied requests where the caller pins a proxy with args.proxy/URLLIB_PROXY and supplies Proxy-Authorization in the request headers, a redirect to another origin still goes through that same authenticated proxy, but this list removes the proxy credential before the recursive request. In that context the header authenticates the proxy rather than the redirected origin, so authenticated proxies can start returning 407 on any cross-origin redirect; only strip it when it is actually being sent as an origin header rather than while proxying.
Useful? React with 👍 / 👎.
These tests depend on reaching https://www.npmjs.com and fail deterministically in CI (and offline). They are pre-existing on the 2.x branch and unrelated to the redirect fix. Guard them with it.skip (the npmRegistry/npmmirror keep-alive cases stay enabled).
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## 2.x #813 +/- ##
==========================================
- Coverage 91.91% 89.94% -1.98%
==========================================
Files 6 6
Lines 829 875 +46
Branches 225 243 +18
==========================================
+ Hits 762 787 +25
- Misses 67 88 +21 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
Node.js 8 is EOL and the current dependency tree requires >= 14 (undici, formdata-node, etc.), so the v8 jobs crash regardless of the test changes.
- Clone args before dropping credentials so a caller reusing the same options object keeps its auth/digestAuth/headers (no in-place mutation). - Keep Proxy-Authorization when the request goes through a proxy, since it authenticates the (unchanged) proxy hop, not the redirected origin. - Derive the current origin from URL components when the request is made with an options-style object that has no href, so same-origin redirects are not misclassified as cross-origin by the fail-closed path.
|
Thanks @chatgpt-codex-connector, all three addressed in 44c1935:
The Gemini fallback-parser points (default-port normalization + fail-closed) from the earlier review are already in. |
Summary
Testing
|
Add the 2.44.1 entry for the cross-origin credential header fix (#813).
Release urllib v2.44.1. Merging this PR updates the version on `2.x` and triggers the release workflow, which publishes to npm (dist-tag `latest-2`) and creates the GitHub Release after manual approval. ## What's Changed ### Security * Do not forward credential headers (`Authorization`, `Cookie`, `Proxy-Authorization`) on cross-origin redirect, and clear `auth`/`digestAuth` before following. Same-origin redirects are unchanged and the caller's headers object is never mutated (#813). ### Internal * Two-stage release workflow with manual approval, publishing the 2.x line to the `latest-2` npm dist-tag (#815). * Use Node 24 in the release workflow for npm 11 OIDC trusted publishing. --------- Co-authored-by: fengmk2 <156269+fengmk2@users.noreply.github.com> Co-authored-by: MK <fengmk2@gmail.com>
1 participant
Problem
When following a redirect to a different origin, urllib reused the caller's
argsverbatim, re-sendingAuthorization,Cookie, andProxy-Authorizationheaders (and re-applying the Basicauthoption) to the new origin. The only existing cleanup was theHostheader.Fix
In
handleRedirect, when the redirect target origin differs from the current origin, strip those credential headers and clearauth/digestAuthbefore following. Same-origin redirects are unchanged; the caller's headers object is not mutated.Tests
New
test/redirect-cross-origin.test.jswith two local servers on different ports: cross-origin strip (headers +auth) and same-origin preserve. Verified the cross-origin cases fail without the fix.