Provide Authorization header when downloading update-job-proxy

src/api-client.ts

@@ -4,6 +4,7 @@ import * as retry from "@octokit/plugin-retry";
 import consoleLogLevel from "console-log-level";
 
 import { getActionVersion, getRequiredInput } from "./actions-util";
+import { Logger } from "./logging";
 import { getRepositoryNwo, RepositoryNwo } from "./repository";
 import {
   ConfigurationError,
@@ -54,7 +55,7 @@ function createApiClientWithDetails(
   );
 }
 
-export function getApiDetails() {
+export function getApiDetails(): GitHubApiDetails {
   return {
     auth: getRequiredInput("token"),
     url: getRequiredEnvParam("GITHUB_SERVER_URL"),
@@ -72,6 +73,34 @@ export function getApiClientWithExternalAuth(
   return createApiClientWithDetails(apiDetails, { allowExternal: true });
 }
 
+/**
+ * Gets a value for the `Authorization` header to download `url` or `undefined` if the
+ * `Authorization` header should not be set for `url`.
+ *
+ * @param logger The logger to use for debugging messages.
+ * @param apiDetails Details of the GitHub API we are using.
+ * @param url The URL for which we want to add an `Authorization` header.
+ * @param purpose A description of what we want to download, for debug messages.
+ * @returns The value for the `Authorization` header or `undefined` if it shouldn't be populated.
+ */
+export function getAuthorizationHeaderFor(
+  logger: Logger,
+  apiDetails: GitHubApiDetails,
+  url: string,
+  purpose: string = "CodeQL tools",
+): string | undefined {
+  if (
+    url.startsWith(`${apiDetails.url}/`) ||
+    (apiDetails.apiURL && url.startsWith(`${apiDetails.apiURL}/`))
+  ) {
+    logger.debug(`Providing an authorization token to download ${purpose}.`);
+    return `token ${apiDetails.auth}`;
+  }
+
+  logger.debug(`Downloading ${purpose} without an authorization token.`);
+  return undefined;
+}
+
 let cachedGitHubVersion: GitHubVersion | undefined = undefined;
 
 export async function getGitHubVersionFromApi(

src/setup-codeql.ts

@@ -574,14 +574,12 @@ export const downloadCodeQL = async function (
   let authorization: string | undefined = undefined;
   if (searchParams.has("token")) {
     logger.debug("CodeQL tools URL contains an authorization token.");
-  } else if (
-    codeqlURL.startsWith(`${apiDetails.url}/`) ||
-    (apiDetails.apiURL && codeqlURL.startsWith(`${apiDetails.apiURL}/`))
-  ) {
-    logger.debug("Providing an authorization token to download CodeQL tools.");
-    authorization = `token ${apiDetails.auth}`;
   } else {
-    logger.debug("Downloading CodeQL tools without an authorization token.");
+    authorization = api.getAuthorizationHeaderFor(
+      logger,
+      apiDetails,
+      codeqlURL,
+    );
   }
 
   const toolcacheInfo = getToolcacheDestinationInfo(

src/start-proxy-action.ts

@@ -6,6 +6,7 @@ import * as toolcache from "@actions/tool-cache";
 import { pki } from "node-forge";
 
 import * as actionsUtil from "./actions-util";
+import { getApiDetails, getAuthorizationHeaderFor } from "./api-client";
 import { getActionsLogger, Logger } from "./logging";
 import {
   Credential,
@@ -192,10 +193,20 @@ async function getProxyBinaryPath(logger: Logger): Promise<string> {
 
   let proxyBin = toolcache.find(proxyFileName, proxyInfo.version);
   if (!proxyBin) {
+    // We only want to provide an authorization header if we are downloading
+    // from the same GitHub instance the Action is running on.
+    // This avoids leaking Enterprise tokens to dotcom.
+    const apiDetails = getApiDetails();
+    const authorization = getAuthorizationHeaderFor(
+      logger,
+      apiDetails,
+      proxyInfo.url,
+      "`update-job-proxy`",
+    );
     const temp = await toolcache.downloadTool(
       proxyInfo.url,
       undefined,
-      undefined,
+      authorization,
       {
         accept: "application/octet-stream",
       },