feat: reject cross-host redirects and HTTPS→HTTP downgrades (#95) #111

Merged

aweiker merged 2 commits from review-bot-issue-95 into main

2026-05-13 16:58:49 +00:00

Author	SHA1	Message	Date
claw	7de6fdd9ec	fix: address review feedback on redirect policy PR Ready Gate / clear-labels (pull_request) Successful in 1s Details CI / test (pull_request) Successful in 17s Details CI / review (anthropic--claude-4.6-sonnet, sonnet, SONNET_REVIEW_TOKEN) (pull_request) Successful in 31s Details CI / review (gpt-5, security, ., rodin/security-patterns, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 52s Details CI / review (gpt-5, gpt, GPT_REVIEW_TOKEN) (pull_request) Successful in 1m24s Details - Replace Unicode arrows (→) with ASCII (->) in error messages and comments for log compatibility (gpt-review NITs #19626, #19628) - Improve guard comment to clarify it exists for testability, not runtime safety (sonnet-review NIT #19619) - Add cross-reference comments noting intentional duplication between gitea/client.go and github/client.go (sonnet-review #19618, gpt-review #19625, #19627) Pushed back on: - internal/ package for dedup: structural overhead not warranted for a single ~25-line function - strings.EqualFold for scheme: Go's url.Parse normalizes schemes to lowercase, making case-insensitive comparison unnecessary	2026-05-13 09:28:46 -07:00
claw	1e0959b077	feat: reject cross-host redirects and HTTPS→HTTP downgrades (#95 ) CI / test (pull_request) Successful in 16s Details CI / review (anthropic--claude-4.6-sonnet, sonnet, SONNET_REVIEW_TOKEN) (pull_request) Successful in 37s Details CI / review (gpt-5, gpt, GPT_REVIEW_TOKEN) (pull_request) Successful in 1m19s Details CI / review (gpt-5, security, ., rodin/security-patterns, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 1m47s Details Add defaultCheckRedirect to both GitHub and Gitea clients that rejects: - HTTPS→HTTP protocol downgrades (prevents plaintext leakage) - Cross-host redirects entirely (prevents consuming untrusted responses) Same-host, same-or-upgraded-scheme redirects remain allowed. Both NewClient constructors wire the policy, and SetHTTPClient(nil) restores it. Callers providing a non-nil client are responsible for configuring their own safe redirect policy. Closes #95	2026-05-13 08:51:36 -07:00

Author

SHA1

Message

Date

claw

7de6fdd9ec

fix: address review feedback on redirect policy

PR Ready Gate / clear-labels (pull_request) Successful in 1s

Details

CI / test (pull_request) Successful in 17s

Details

CI / review (anthropic--claude-4.6-sonnet, sonnet, SONNET_REVIEW_TOKEN) (pull_request) Successful in 31s

Details

CI / review (gpt-5, security, ., rodin/security-patterns, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 52s

Details

CI / review (gpt-5, gpt, GPT_REVIEW_TOKEN) (pull_request) Successful in 1m24s

Details

- Replace Unicode arrows (→) with ASCII (->) in error messages and
  comments for log compatibility (gpt-review NITs #19626, #19628)
- Improve guard comment to clarify it exists for testability, not
  runtime safety (sonnet-review NIT #19619)
- Add cross-reference comments noting intentional duplication between
  gitea/client.go and github/client.go (sonnet-review #19618,
  gpt-review #19625, #19627)

Pushed back on:
- internal/ package for dedup: structural overhead not warranted for
  a single ~25-line function
- strings.EqualFold for scheme: Go's url.Parse normalizes schemes to
  lowercase, making case-insensitive comparison unnecessary

2026-05-13 09:28:46 -07:00

claw

1e0959b077

feat: reject cross-host redirects and HTTPS→HTTP downgrades (#95 )

CI / test (pull_request) Successful in 16s

Details

CI / review (anthropic--claude-4.6-sonnet, sonnet, SONNET_REVIEW_TOKEN) (pull_request) Successful in 37s

Details

CI / review (gpt-5, gpt, GPT_REVIEW_TOKEN) (pull_request) Successful in 1m19s

Details

CI / review (gpt-5, security, ., rodin/security-patterns, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 1m47s

Details

Add defaultCheckRedirect to both GitHub and Gitea clients that rejects:
- HTTPS→HTTP protocol downgrades (prevents plaintext leakage)
- Cross-host redirects entirely (prevents consuming untrusted responses)

Same-host, same-or-upgraded-scheme redirects remain allowed.

Both NewClient constructors wire the policy, and SetHTTPClient(nil)
restores it. Callers providing a non-nil client are responsible for
configuring their own safe redirect policy.

Closes #95

2026-05-13 08:51:36 -07:00

feat: reject cross-host redirects and HTTPS→HTTP downgrades (#95) #111

2 Commits