Strip Authorization header on cross-origin redirects

When following a redirect to a different origin (scheme, host, or port),
the Authorization header is now removed to prevent credential leakage.
Previously, all headers were forwarded unconditionally to the redirect
target, which could expose auth tokens to unintended hosts (e.g., when
redirecting from a custom origin to S3).

Closes #770.

Author: sferik

CHANGELOG.md

@@ -18,6 +18,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Fixed
 
+- Strip `Authorization` header when following redirects to a different origin
+  (scheme, host, or port) to prevent credential leakage (#770)
 - AutoInflate now preserves the response charset encoding instead of
   defaulting to `Encoding::BINARY` (#535)
 - `LocalJumpError` when using instrumentation with instrumenters that

lib/http/request.rb

@@ -171,6 +171,13 @@ def redirect(uri, verb = @verb)
       headers = self.headers.dup
       headers.delete(Headers::HOST)
 
+      redirect_uri = @uri.join(uri)
+
+      # Strip sensitive auth headers when redirecting to a different origin
+      # (scheme + host + port) to prevent credential leakage.
+      # See: https://github.com/httprb/http/issues/770
+      headers.delete(Headers::AUTHORIZATION) unless @uri.origin == redirect_uri.origin
+
       new_body = body.source
       if verb == :get
         # request bodies should not always be resubmitted when following a redirect
@@ -187,7 +194,7 @@ def redirect(uri, verb = @verb)
 
       self.class.new(
         verb:           verb,
-        uri:            @uri.join(uri),
+        uri:            redirect_uri,
         headers:        headers,
         proxy:          proxy,
         body:           new_body,

test/http/redirector_test.rb

@@ -650,6 +650,64 @@ def empty_body
       end
     end
 
+    context "with Authorization header" do
+      it "preserves Authorization when redirecting to same origin" do
+        req = HTTP::Request.new verb: :get, uri: "http://example.com"
+        req.headers.set("Authorization", "Bearer secret")
+        hops = [
+          redirect_response(301, "http://example.com/other"),
+          simple_response(200, "done")
+        ]
+
+        redirector.perform(req, hops.shift) do |request|
+          assert_equal "Bearer secret", request["Authorization"]
+          hops.shift
+        end
+      end
+
+      it "strips Authorization when redirecting to different host" do
+        req = HTTP::Request.new verb: :get, uri: "http://example.com"
+        req.headers.set("Authorization", "Bearer secret")
+        hops = [
+          redirect_response(301, "http://other.example.com/"),
+          simple_response(200, "done")
+        ]
+
+        redirector.perform(req, hops.shift) do |request|
+          assert_nil request["Authorization"]
+          hops.shift
+        end
+      end
+
+      it "strips Authorization when redirecting to different scheme" do
+        req = HTTP::Request.new verb: :get, uri: "http://example.com"
+        req.headers.set("Authorization", "Bearer secret")
+        hops = [
+          redirect_response(301, "https://example.com/"),
+          simple_response(200, "done")
+        ]
+
+        redirector.perform(req, hops.shift) do |request|
+          assert_nil request["Authorization"]
+          hops.shift
+        end
+      end
+
+      it "strips Authorization when redirecting to different port" do
+        req = HTTP::Request.new verb: :get, uri: "http://example.com"
+        req.headers.set("Authorization", "Bearer secret")
+        hops = [
+          redirect_response(301, "http://example.com:8080/"),
+          simple_response(200, "done")
+        ]
+
+        redirector.perform(req, hops.shift) do |request|
+          assert_nil request["Authorization"]
+          hops.shift
+        end
+      end
+    end
+
     it "does not falsely detect endless loop when verb changes for same URL" do
       req = HTTP::Request.new verb: :post, uri: "http://example.com"
       # POST http://example.com → 302 → GET http://example.com → 302 → GET http://example.com/done → 200

test/http/request_test.rb

@@ -258,6 +258,50 @@
         assert_equal :get, redirected_with_verb.verb
       end
     end
+
+    context "with Authorization header" do
+      let(:headers) { { accept: "text/html", authorization: "Bearer token123" } }
+
+      context "when redirecting to same origin" do
+        let(:redirected) { request.redirect "/other-path" }
+
+        it "preserves Authorization header" do
+          assert_equal "Bearer token123", redirected["Authorization"]
+        end
+      end
+
+      context "when redirecting to different host" do
+        let(:redirected) { request.redirect "http://other.example.com/" }
+
+        it "strips Authorization header" do
+          assert_nil redirected["Authorization"]
+        end
+      end
+
+      context "when redirecting to different scheme" do
+        let(:redirected) { request.redirect "https://example.com/" }
+
+        it "strips Authorization header" do
+          assert_nil redirected["Authorization"]
+        end
+      end
+
+      context "when redirecting to different port" do
+        let(:redirected) { request.redirect "http://example.com:8080/" }
+
+        it "strips Authorization header" do
+          assert_nil redirected["Authorization"]
+        end
+      end
+
+      context "when redirecting to schema-less URL with different host" do
+        let(:redirected) { request.redirect "//other.example.com/path" }
+
+        it "strips Authorization header" do
+          assert_nil redirected["Authorization"]
+        end
+      end
+    end
   end
 
   describe "#headline" do