Reject cross-host redirects and HTTPS→HTTP downgrades entirely #95

New Issue

Closed

opened 2026-05-13 00:30:03 +00:00 by rodin · 1 comment

rodin commented 2026-05-13 00:30:03 +00:00

Owner

Copy Link

Copy Source

From security review on PR #93 (review #2870, finding #1):

Currently the client strips the Authorization header on cross-host redirects or protocol downgrades (HTTPS→HTTP), but still follows the redirect. This can lead to consuming responses from untrusted or downgraded endpoints.

Proposed: Reject cross-host redirects and HTTPS→HTTP downgrades entirely (return an error from CheckRedirect) rather than just stripping auth. This provides stronger integrity/confidentiality guarantees.

Consideration: This is a behavioral change that could break legitimate redirect flows (e.g., GitHub sometimes redirects to CDN hosts for raw content). Needs careful evaluation of which redirect patterns are expected vs. dangerous.

Ref: PR #93 review #2870

From security review on PR #93 (review #2870, finding #1): Currently the client strips the Authorization header on cross-host redirects or protocol downgrades (HTTPS→HTTP), but still follows the redirect. This can lead to consuming responses from untrusted or downgraded endpoints. **Proposed:** Reject cross-host redirects and HTTPS→HTTP downgrades entirely (return an error from CheckRedirect) rather than just stripping auth. This provides stronger integrity/confidentiality guarantees. **Consideration:** This is a behavioral change that could break legitimate redirect flows (e.g., GitHub sometimes redirects to CDN hosts for raw content). Needs careful evaluation of which redirect patterns are expected vs. dangerous. Ref: PR #93 review #2870

rodin referenced this issue from a commit 2026-05-13 00:30:29 +00:00

fix(github): address review findings from rounds 2867/2870

rodin referenced this issue 2026-05-13 00:30:39 +00:00

feat(github): implement PRReader + FileReader client (#80) #93

rodin referenced this issue 2026-05-13 00:44:03 +00:00

feat(github): implement PRReader + FileReader client (#80) #93

rodin self-assigned this 2026-05-13 15:45:33 +00:00

rodin commented 2026-05-13 15:47:44 +00:00

Author

Owner

Copy Link

Copy Source

Plan: Reject cross-host redirects and HTTPS→HTTP downgrades entirely### ProblemThe GitHub client's defaultCheckRedirect currently:1. ✅ Rejects HTTPS→HTTP downgrades (returns error)2. ⚠️ Strips Authorization on cross-host redirects but still follows themFollowing cross-host redirects (even without auth) can lead to consuming responses from untrusted endpoints, which could be exploited for response manipulation or information disclosure.Additionally, the Gitea client has no CheckRedirect policy at all, meaning it uses Go's default behavior (follows up to 10 redirects, forwarding all headers including Authorization).### Constraints- Must not break normal API usage (contents API, diff API, PR API, review submission)- Both GitHub and Gitea clients use JSON-based API endpoints that should never redirect cross-host in normal operation- The review-bot never fetches raw blob downloads that might legitimately redirect to CDN hosts- Change must be opt-in or at least clearly documented for anyone extending the client### Proposed ApproachChange defaultCheckRedirect in the GitHub client to reject (return error) on cross-host redirects instead of stripping auth and following:gofunc defaultCheckRedirect(req *http.Request, via []*http.Request) error { if len(via) >= 10 { return fmt.Errorf("stopped after 10 redirects") } if len(via) == 0 { return nil } prev := via[len(via)-1] // Reject HTTPS→HTTP downgrade if prev.URL.Scheme == "https" && req.URL.Scheme == "http" { return fmt.Errorf("refusing redirect: HTTPS to HTTP downgrade (%s → %s)", prev.URL.Host, req.URL.Host) } // Reject cross-host redirect entirely if req.URL.Host != prev.URL.Host { return fmt.Errorf("refusing redirect: cross-host (%s → %s)", prev.URL.Host, req.URL.Host) } return nil}Add defaultCheckRedirect to the Gitea client with the same policy, applied in NewClient and SetHTTPClient(nil).### Files to Change1. github/client.go — Update defaultCheckRedirect to return error on cross-host redirect instead of stripping auth2. github/client_test.go — Update TestDefaultCheckRedirect_StripsAuthOnCrossHost → rename to TestDefaultCheckRedirect_RejectsCrossHost and assert error returned3. gitea/client.go — Add defaultCheckRedirect function, wire into NewClient and SetHTTPClient4. gitea/client_test.go — Add tests for the new redirect policy### Error Cases- Cross-host redirect → clear error message identifying source and target hosts- HTTPS→HTTP downgrade → clear error message (already implemented for GitHub, new for Gitea)- Same-host same-scheme redirect → allowed (normal behavior for path normalization, trailing slash, etc.)### Edge Cases- len(via) == 0 — defensive guard, allow redirect (matches current behavior)- Port differences on same hostname (e.g. api.github.com vs api.github.com:443) — Go normalizes these, but Host field includes port when non-default; this means host:443 ≠ host even though they're the same. Decision: compare hosts as-is (strict). This is more secure — if a redirect goes to an explicit port variant, it's unusual and worth rejecting.- Redirect chain: first to same-host, then to cross-host — the function checks against via[len(via)-1] (the immediately previous request), so this is correctly caught at the second hop.### Testing Strategy1. Unit tests for defaultCheckRedirect in both packages: - Same-host same-scheme → allowed - Cross-host → error - HTTPS→HTTP → error - Same-host HTTP→HTTP → allowed (no downgrade) - 10+ redirects → error2. Existing integration-style tests should continue passing (they use mock servers on same host)### Open Questions- Port normalization: Go's Request.URL.Host includes port for non-standard ports. Should example.com == example.com:443? Current decision is strict comparison (no normalization) — more secure, simpler. If a legitimate same-origin redirect adds an explicit port, it would be rejected. This seems acceptable for an API client that only talks to known endpoints.### Completion Checklist1. [ ] defaultCheckRedirect in github/client.go returns error on cross-host redirect2. [ ] Error message clearly identifies source and target hosts3. [ ] Same-host redirects still work (no regression)4. [ ] HTTPS→HTTP rejection preserved with updated message format5. [ ] Gitea client gets defaultCheckRedirect with identical logic6. [ ] Gitea NewClient wires CheckRedirect7. [ ] Gitea SetHTTPClient(nil) restores CheckRedirect8. [ ] All existing tests pass (no regressions)9. [ ] New tests cover cross-host rejection for both clients10. [ ] go test ./... passes clean

## Plan: Reject cross-host redirects and HTTPS→HTTP downgrades entirely### ProblemThe GitHub client's `defaultCheckRedirect` currently:1. ✅ Rejects HTTPS→HTTP downgrades (returns error)2. ⚠️ Strips Authorization on cross-host redirects **but still follows them**Following cross-host redirects (even without auth) can lead to consuming responses from untrusted endpoints, which could be exploited for response manipulation or information disclosure.Additionally, the **Gitea client has no `CheckRedirect` policy at all**, meaning it uses Go's default behavior (follows up to 10 redirects, forwarding all headers including Authorization).### Constraints- Must not break normal API usage (contents API, diff API, PR API, review submission)- Both GitHub and Gitea clients use JSON-based API endpoints that should never redirect cross-host in normal operation- The review-bot never fetches raw blob downloads that might legitimately redirect to CDN hosts- Change must be opt-in or at least clearly documented for anyone extending the client### Proposed Approach**Change `defaultCheckRedirect` in the GitHub client** to reject (return error) on cross-host redirects instead of stripping auth and following:```gofunc defaultCheckRedirect(req *http.Request, via []*http.Request) error { if len(via) >= 10 { return fmt.Errorf("stopped after 10 redirects") } if len(via) == 0 { return nil } prev := via[len(via)-1] // Reject HTTPS→HTTP downgrade if prev.URL.Scheme == "https" && req.URL.Scheme == "http" { return fmt.Errorf("refusing redirect: HTTPS to HTTP downgrade (%s → %s)", prev.URL.Host, req.URL.Host) } // Reject cross-host redirect entirely if req.URL.Host != prev.URL.Host { return fmt.Errorf("refusing redirect: cross-host (%s → %s)", prev.URL.Host, req.URL.Host) } return nil}```**Add `defaultCheckRedirect` to the Gitea client** with the same policy, applied in `NewClient` and `SetHTTPClient(nil)`.### Files to Change1. **`github/client.go`** — Update `defaultCheckRedirect` to return error on cross-host redirect instead of stripping auth2. **`github/client_test.go`** — Update `TestDefaultCheckRedirect_StripsAuthOnCrossHost` → rename to `TestDefaultCheckRedirect_RejectsCrossHost` and assert error returned3. **`gitea/client.go`** — Add `defaultCheckRedirect` function, wire into `NewClient` and `SetHTTPClient`4. **`gitea/client_test.go`** — Add tests for the new redirect policy### Error Cases- Cross-host redirect → clear error message identifying source and target hosts- HTTPS→HTTP downgrade → clear error message (already implemented for GitHub, new for Gitea)- Same-host same-scheme redirect → allowed (normal behavior for path normalization, trailing slash, etc.)### Edge Cases- `len(via) == 0` — defensive guard, allow redirect (matches current behavior)- Port differences on same hostname (e.g. `api.github.com` vs `api.github.com:443`) — Go normalizes these, but `Host` field includes port when non-default; this means `host:443` ≠ `host` even though they're the same. **Decision:** compare hosts as-is (strict). This is more secure — if a redirect goes to an explicit port variant, it's unusual and worth rejecting.- Redirect chain: first to same-host, then to cross-host — the function checks against `via[len(via)-1]` (the immediately previous request), so this is correctly caught at the second hop.### Testing Strategy1. Unit tests for `defaultCheckRedirect` in both packages: - Same-host same-scheme → allowed - Cross-host → error - HTTPS→HTTP → error - Same-host HTTP→HTTP → allowed (no downgrade) - 10+ redirects → error2. Existing integration-style tests should continue passing (they use mock servers on same host)### Open Questions- **Port normalization:** Go's `Request.URL.Host` includes port for non-standard ports. Should `example.com` == `example.com:443`? Current decision is strict comparison (no normalization) — more secure, simpler. If a legitimate same-origin redirect adds an explicit port, it would be rejected. This seems acceptable for an API client that only talks to known endpoints.### Completion Checklist1. [ ] `defaultCheckRedirect` in `github/client.go` returns error on cross-host redirect2. [ ] Error message clearly identifies source and target hosts3. [ ] Same-host redirects still work (no regression)4. [ ] HTTPS→HTTP rejection preserved with updated message format5. [ ] Gitea client gets `defaultCheckRedirect` with identical logic6. [ ] Gitea `NewClient` wires CheckRedirect7. [ ] Gitea `SetHTTPClient(nil)` restores CheckRedirect8. [ ] All existing tests pass (no regressions)9. [ ] New tests cover cross-host rejection for both clients10. [ ] `go test ./...` passes clean

rodin referenced this issue from a commit 2026-05-13 15:51:41 +00:00

feat: reject cross-host redirects and HTTPS→HTTP downgrades (#95)

rodin referenced a pull request that will close this issue 2026-05-13 15:51:55 +00:00

feat: reject cross-host redirects and HTTPS→HTTP downgrades (#95) #111

aweiker closed this issue 2026-05-13 16:58:49 +00:00

aweiker referenced this issue from a commit 2026-05-13 16:58:50 +00:00

Merge pull request 'feat: reject cross-host redirects and HTTPS→HTTP downgrades (#95)' (#111) from review-bot-issue-95 into main

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

ci/cleanup

ci-selfreview-gate

issue-150

issue-157

issue-141

issue-154

review-bot-dev-loop

issue-143

issue-146

pr-153

review-bot-issue-130-work

issue-148

issue-139

issue-137

review-bot-fixes

review-bot-issue-133

review-bot-issue-130

issue-130

github-support

issue-123-work

issue-123

review-bot-issue-120

fix/125-readme-cli-example

issue-125

issue-124

issue-120

feature/github-support

review-bot-issue-116

review-bot-issue-115

review-bot-issue-114

review-bot-issue-96

review-bot-issue-107

review-bot-issue-82

review-bot-issue-95

review-bot-issue-92

review-bot-issue-94

review-bot-issue-81

review-bot-issue-91

review-bot-issue-97

issue-80-c-file-reader

issue-80-b-pr-reader

issue-80-a-client

review-bot-issue-80

review-bot-issue-87

review-bot-issue-79

review-bot-issue-84

review-bot-issue-78

issue-73

issue-70

issue-68

issue-66

issue-64

issue-60-remote-personas

issue-60

issue-57

allow-deps

feat/aicore-provider-v2

issue-51

ci/pr-ready-gate

fix/stale-commit-check

feat/aicore-provider

fix/response-body-truncation

fix/json-repair

fix/sonnet-reviewer

fix/consistent-path-escape

feat/inline-review-comments

feat/6-update-existing-review

fix/19-context-overflow

feat/18-anthropic-api

fix/url-escaping-and-shadow

fix/quick-wins

fix/context-and-encapsulation

docs/code-review-report

ci/release-workflow

v0.4.0

v0.3.2

v0.3.1

v0.3.0

v0.2.0

v0.1.0

Labels

Clear labels

ai-review

bug

needs-review

ready

Ready for human review

self-reviewed

Self-review passed since last push

wip

Work in progress - do not start new work on this PR

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

security-review-bot rodin (Rodin)

No Assignees rodin

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: rodin/review-bot#95