feat: reject cross-host redirects and HTTPS→HTTP downgrades (#95)

Add defaultCheckRedirect to both GitHub and Gitea clients that rejects: - HTTPS→HTTP protocol downgrades (prevents plaintext leakage) - Cross-host redirects entirely (prevents consuming untrusted responses) Same-host, same-or-upgraded-scheme redirects remain allowed. Both NewClient constructors wire the policy, and SetHTTPClient(nil) restores it. Callers providing a non-nil client are responsible for configuring their own safe redirect policy. Closes #95
2026-05-13 08:51:36 -07:00
parent 67c3db70cb
commit 1e0959b077
4 changed files with 297 additions and 5 deletions
@@ -107,6 +107,32 @@ type Client struct {
 	now func() time.Time
 }

+// defaultCheckRedirect is the redirect policy used by NewClient.
+// It rejects HTTPS→HTTP protocol downgrades (to prevent plaintext leakage)
+// and cross-host redirects (to prevent following responses from untrusted
+// endpoints). Same-host, same-or-upgraded-scheme redirects are allowed.
+func defaultCheckRedirect(req *http.Request, via []*http.Request) error {
+	if len(via) >= 10 {
+		return fmt.Errorf("stopped after 10 redirects")
+	}
+	// Guard: net/http guarantees len(via) >= 1 but defend against
+	// zero-length to avoid panic on index out of range.
+	if len(via) == 0 {
+		return nil
+	}
+	prev := via[len(via)-1]
+	// Reject protocol downgrade: HTTPS→HTTP leaks request metadata over plaintext.
+	if prev.URL.Scheme == "https" && req.URL.Scheme == "http" {
+		return fmt.Errorf("refusing redirect: HTTPS to HTTP downgrade (%s → %s)", prev.URL.Host, req.URL.Host)
+	}
+	// Reject cross-host redirect entirely to avoid consuming responses
+	// from untrusted endpoints.
+	if req.URL.Host != prev.URL.Host {
+		return fmt.Errorf("refusing redirect: cross-host (%s → %s)", prev.URL.Host, req.URL.Host)
+	}
+	return nil
+}
+
 // NewClient creates a new GitHub API client.
 // If baseURL is empty, it defaults to https://api.github.com.
 // For GitHub Enterprise, pass the API base URL (e.g. https://github.concur.com/api/v3).
@@ -117,14 +143,31 @@ func NewClient(token, baseURL string) *Client {
 	return &Client{
 		baseURL: strings.TrimRight(baseURL, "/"),
 		token:   token,
-		httpClient: &http.Client{Timeout: 30 * time.Second},
-		now:     time.Now,
+		httpClient: &http.Client{
+			Timeout:       30 * time.Second,
+			CheckRedirect: defaultCheckRedirect,
+		},
+		now: time.Now,
 	}
 }

 // SetHTTPClient sets the underlying HTTP client used for requests.
-// This is intended for testing to inject mock transports.
+// This is intended for test setup only to inject mock transports; it must be
+// called before any goroutines issue requests.
+//
+// Passing nil restores the default client (30s timeout + redirect-rejecting
+// CheckRedirect policy matching NewClient).
+//
+// Callers providing a non-nil client are responsible for configuring a safe
+// CheckRedirect policy. Without one, the default net/http behavior will follow
+// redirects and may forward the Authorization header to untrusted hosts.
 func (c *Client) SetHTTPClient(hc *http.Client) {
+	if hc == nil {
+		hc = &http.Client{
+			Timeout:       30 * time.Second,
+			CheckRedirect: defaultCheckRedirect,
+		}
+	}
 	c.httpClient = hc
 }