feat: reject cross-host redirects and HTTPS→HTTP downgrades (#95)
CI / test (pull_request) Successful in 16s
CI / review (anthropic--claude-4.6-sonnet, sonnet, SONNET_REVIEW_TOKEN) (pull_request) Successful in 37s
CI / review (gpt-5, gpt, GPT_REVIEW_TOKEN) (pull_request) Successful in 1m19s
CI / review (gpt-5, security, ., rodin/security-patterns, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 1m47s
CI / test (pull_request) Successful in 16s
CI / review (anthropic--claude-4.6-sonnet, sonnet, SONNET_REVIEW_TOKEN) (pull_request) Successful in 37s
CI / review (gpt-5, gpt, GPT_REVIEW_TOKEN) (pull_request) Successful in 1m19s
CI / review (gpt-5, security, ., rodin/security-patterns, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 1m47s
Add defaultCheckRedirect to both GitHub and Gitea clients that rejects: - HTTPS→HTTP protocol downgrades (prevents plaintext leakage) - Cross-host redirects entirely (prevents consuming untrusted responses) Same-host, same-or-upgraded-scheme redirects remain allowed. Both NewClient constructors wire the policy, and SetHTTPClient(nil) restores it. Callers providing a non-nil client are responsible for configuring their own safe redirect policy. Closes #95
This commit is contained in:
claw
@@ -5,6 +5,8 @@ import (
|
||||
"errors"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"net/url"
|
||||
"strings"
|
||||
"testing"
|
||||
"time"
|
||||
)
|
||||
@@ -407,3 +409,105 @@ func TestAPIError_Error_NewlineSanitized(t *testing.T) {
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func TestNewClient_HasCheckRedirect(t *testing.T) {
|
||||
c := NewClient("secret-token", "https://api.github.com")
|
||||
if c.httpClient.CheckRedirect == nil {
|
||||
t.Fatal("expected CheckRedirect to be set")
|
||||
}
|
||||
}
|
||||
|
||||
func TestDefaultCheckRedirect_RejectsHTTPSToHTTP(t *testing.T) {
|
||||
prev := &http.Request{URL: &url.URL{Scheme: "https", Host: "api.github.com", Path: "/foo"}}
|
||||
req := &http.Request{
|
||||
URL: &url.URL{Scheme: "http", Host: "api.github.com", Path: "/foo"},
|
||||
Header: http.Header{"Authorization": []string{"Bearer token"}},
|
||||
}
|
||||
err := defaultCheckRedirect(req, []*http.Request{prev})
|
||||
if err == nil {
|
||||
t.Fatal("expected error on HTTPS→HTTP redirect")
|
||||
}
|
||||
if !strings.Contains(err.Error(), "HTTPS to HTTP downgrade") {
|
||||
t.Errorf("unexpected error message: %v", err)
|
||||
}
|
||||
}
|
||||
|
||||
func TestDefaultCheckRedirect_RejectsCrossHost(t *testing.T) {
|
||||
prev := &http.Request{URL: &url.URL{Scheme: "https", Host: "api.github.com", Path: "/foo"}}
|
||||
req := &http.Request{
|
||||
URL: &url.URL{Scheme: "https", Host: "objects.githubusercontent.com", Path: "/bar"},
|
||||
Header: http.Header{"Authorization": []string{"Bearer token"}},
|
||||
}
|
||||
err := defaultCheckRedirect(req, []*http.Request{prev})
|
||||
if err == nil {
|
||||
t.Fatal("expected error on cross-host redirect")
|
||||
}
|
||||
if !strings.Contains(err.Error(), "cross-host") {
|
||||
t.Errorf("unexpected error message: %v", err)
|
||||
}
|
||||
}
|
||||
|
||||
func TestDefaultCheckRedirect_AllowsSameHost(t *testing.T) {
|
||||
prev := &http.Request{URL: &url.URL{Scheme: "https", Host: "api.github.com", Path: "/foo"}}
|
||||
req := &http.Request{
|
||||
URL: &url.URL{Scheme: "https", Host: "api.github.com", Path: "/bar"},
|
||||
Header: http.Header{"Authorization": []string{"Bearer token"}},
|
||||
}
|
||||
err := defaultCheckRedirect(req, []*http.Request{prev})
|
||||
if err != nil {
|
||||
t.Fatalf("unexpected error: %v", err)
|
||||
}
|
||||
// Auth should be preserved on same-host redirect
|
||||
if auth := req.Header.Get("Authorization"); auth != "Bearer token" {
|
||||
t.Errorf("expected Authorization to be preserved, got %q", auth)
|
||||
}
|
||||
}
|
||||
|
||||
func TestDefaultCheckRedirect_AllowsSameHostHTTPToHTTP(t *testing.T) {
|
||||
prev := &http.Request{URL: &url.URL{Scheme: "http", Host: "localhost:8080", Path: "/foo"}}
|
||||
req := &http.Request{
|
||||
URL: &url.URL{Scheme: "http", Host: "localhost:8080", Path: "/bar"},
|
||||
Header: http.Header{},
|
||||
}
|
||||
err := defaultCheckRedirect(req, []*http.Request{prev})
|
||||
if err != nil {
|
||||
t.Fatalf("unexpected error: %v", err)
|
||||
}
|
||||
}
|
||||
|
||||
func TestDefaultCheckRedirect_RejectsTooManyRedirects(t *testing.T) {
|
||||
via := make([]*http.Request, 10)
|
||||
for i := range via {
|
||||
via[i] = &http.Request{URL: &url.URL{Scheme: "https", Host: "api.github.com", Path: "/"}}
|
||||
}
|
||||
req := &http.Request{URL: &url.URL{Scheme: "https", Host: "api.github.com", Path: "/final"}}
|
||||
err := defaultCheckRedirect(req, via)
|
||||
if err == nil {
|
||||
t.Fatal("expected error after 10 redirects")
|
||||
}
|
||||
if !strings.Contains(err.Error(), "10 redirects") {
|
||||
t.Errorf("unexpected error message: %v", err)
|
||||
}
|
||||
}
|
||||
|
||||
func TestDefaultCheckRedirect_EmptyViaAllowed(t *testing.T) {
|
||||
req := &http.Request{URL: &url.URL{Scheme: "https", Host: "api.github.com", Path: "/foo"}}
|
||||
err := defaultCheckRedirect(req, nil)
|
||||
if err != nil {
|
||||
t.Fatalf("unexpected error with empty via: %v", err)
|
||||
}
|
||||
}
|
||||
|
||||
func TestSetHTTPClient_NilRestoresDefault(t *testing.T) {
|
||||
c := NewClient("token", "https://api.github.com")
|
||||
c.SetHTTPClient(nil)
|
||||
if c.httpClient == nil {
|
||||
t.Fatal("expected non-nil httpClient after SetHTTPClient(nil)")
|
||||
}
|
||||
if c.httpClient.Timeout != 30*time.Second {
|
||||
t.Errorf("expected 30s timeout, got %v", c.httpClient.Timeout)
|
||||
}
|
||||
if c.httpClient.CheckRedirect == nil {
|
||||
t.Fatal("expected CheckRedirect policy after SetHTTPClient(nil)")
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user