Tier 2 per SECURITY.md — a compatibility-affecting change; needs maintainer approval before merge. Surfaced by the security review behind #39.
Problem
The shared client is built with HttpClient.Redirect.NORMAL (HttpTransport.java:136). NORMAL correctly does not downgrade https→http, but it does follow same-scheme cross-host redirects, and java.net.http.HttpClient re-sends the original request headers — including Authorization — to the redirect target. If the API host ever emitted (via compromise/misconfig) a 3xx to https://attacker.example, the Bearer token would be forwarded.
Trigger: requires the API host itself to issue a malicious redirect — defense-in-depth against a hypothetical API-side compromise, not exploitable against a default user today.
Proposed fix (needs approval — Tier 2)
Set HttpClient.Redirect.NEVER and treat any 3xx as an error — this authenticated JSON API never legitimately needs redirects.
Why Tier 2
Changes runtime behavior: any endpoint that currently relies on a redirect would start failing. Low severity, so worth confirming no legitimate redirect exists before flipping.
Tier 2 per
SECURITY.md— a compatibility-affecting change; needs maintainer approval before merge. Surfaced by the security review behind #39.Problem
The shared client is built with
HttpClient.Redirect.NORMAL(HttpTransport.java:136).NORMALcorrectly does not downgrade https→http, but it does follow same-scheme cross-host redirects, andjava.net.http.HttpClientre-sends the original request headers — includingAuthorization— to the redirect target. If the API host ever emitted (via compromise/misconfig) a 3xx tohttps://attacker.example, the Bearer token would be forwarded.Trigger: requires the API host itself to issue a malicious redirect — defense-in-depth against a hypothetical API-side compromise, not exploitable against a default user today.
Proposed fix (needs approval — Tier 2)
Set
HttpClient.Redirect.NEVERand treat any 3xx as an error — this authenticated JSON API never legitimately needs redirects.Why Tier 2
Changes runtime behavior: any endpoint that currently relies on a redirect would start failing. Low severity, so worth confirming no legitimate redirect exists before flipping.