fix: do not forward credential headers on cross-origin redirect

When following a redirect to a different origin, urllib reused the
caller's options verbatim, re-sending Authorization, Cookie, and
Proxy-Authorization (and re-applying the Basic auth from `auth`) to
the new origin. Strip these in handleRedirect when the redirect
crosses the origin boundary. Same-origin redirects are unchanged.

Author: fengmk2

lib/urllib.js

@@ -66,6 +66,37 @@ var TEXT_DATA_TYPES = [
 
 var PROTO_RE = /^https?:\/\//i;
 
+// Credential-bearing headers that must not be forwarded across an origin
+// boundary when following a redirect, to avoid leaking them to a third party.
+var CROSS_ORIGIN_SENSITIVE_HEADERS = [ 'authorization', 'cookie', 'proxy-authorization' ];
+
+function isCrossOriginRedirect(fromHref, toUrl) {
+  try {
+    if (URL) {
+      return new URL(fromHref).origin !== new URL(toUrl, fromHref).origin;
+    }
+    var from = urlutil.parse(fromHref);
+    var to = urlutil.parse(urlutil.resolve(fromHref, toUrl));
+    return from.protocol !== to.protocol || from.host !== to.host;
+  } catch (err) {
+    return false;
+  }
+}
+
+function cleanCrossOriginHeaders(headers) {
+  var cleaned = {};
+  if (headers) {
+    var names = utility.getOwnEnumerables(headers, true);
+    for (var i = 0; i < names.length; i++) {
+      var name = names[i];
+      if (CROSS_ORIGIN_SENSITIVE_HEADERS.indexOf(name.toLowerCase()) === -1) {
+        cleaned[name] = headers[name];
+      }
+    }
+  }
+  return cleaned;
+}
+
 // Keep-Alive: timeout=5, max=100
 var KEEP_ALIVE_RE = /^timeout=(\d+)/i;
 
@@ -688,6 +719,12 @@ function requestWithCallback(url, args, callback) {
           options.headers.host = null;
           args.headers = options.headers;
         }
+        // do not forward credential-bearing headers / auth to a different origin
+        if (isCrossOriginRedirect(parsedUrl.href, newUrl)) {
+          args.headers = cleanCrossOriginHeaders(args.headers || options.headers);
+          args.auth = null;
+          args.digestAuth = null;
+        }
         // avoid done will be execute in the future change.
         var cb = callback;
         callback = null;

test/redirect-cross-origin.test.js

@@ -0,0 +1,120 @@
+'use strict';
+
+var assert = require('assert');
+var http = require('http');
+var urllib = require('../');
+
+// On a cross-origin redirect, credential-bearing request headers
+// (Authorization, Cookie, Proxy-Authorization) and the `auth` option must NOT
+// be forwarded to the new origin. Same-origin redirects should keep them.
+describe('test/redirect-cross-origin.test.js', function() {
+  var serverA;
+  var serverB;
+  var portA;
+  var portB;
+
+  before(function(done) {
+    serverB = http.createServer(function(req, res) {
+      res.statusCode = 200;
+      res.setHeader('Content-Type', 'application/json');
+      res.end(JSON.stringify(req.headers));
+    });
+    serverB.listen(0, function() {
+      portB = serverB.address().port;
+      serverA = http.createServer(function(req, res) {
+        if (req.url === '/start-cross') {
+          res.statusCode = 302;
+          res.setHeader('Location', 'http://127.0.0.1:' + portB + '/captured');
+          return res.end('redirect to B');
+        }
+        if (req.url === '/start-same') {
+          res.statusCode = 302;
+          res.setHeader('Location', '/captured');
+          return res.end('redirect to self');
+        }
+        res.statusCode = 200;
+        res.setHeader('Content-Type', 'application/json');
+        res.end(JSON.stringify(req.headers));
+      });
+      serverA.listen(0, function() {
+        portA = serverA.address().port;
+        done();
+      });
+    });
+  });
+
+  after(function() {
+    if (serverA) {
+      serverA.close();
+    }
+    if (serverB) {
+      serverB.close();
+    }
+  });
+
+  function credentialHeaders() {
+    return {
+      Authorization: 'Bearer LIVE-AUTH',
+      Cookie: 'session=LIVE-COOKIE',
+      'Proxy-Authorization': 'Bearer proxy-LIVE',
+    };
+  }
+
+  it('should NOT forward credential headers on cross-origin redirect', function(done) {
+    urllib.request('http://127.0.0.1:' + portA + '/start-cross', {
+      followRedirect: true,
+      headers: credentialHeaders(),
+    }, function(err, data, res) {
+      assert(!err);
+      assert.equal(res.statusCode, 200);
+      assert.equal(res.requestUrls.length, 2);
+      var received = JSON.parse(data.toString());
+      assert.equal(received.authorization, undefined);
+      assert.equal(received.cookie, undefined);
+      assert.equal(received['proxy-authorization'], undefined);
+      done();
+    });
+  });
+
+  it('should keep credential headers on same-origin redirect', function(done) {
+    urllib.request('http://127.0.0.1:' + portA + '/start-same', {
+      followRedirect: true,
+      headers: credentialHeaders(),
+    }, function(err, data, res) {
+      assert(!err);
+      assert.equal(res.statusCode, 200);
+      assert.equal(res.requestUrls.length, 2);
+      var received = JSON.parse(data.toString());
+      assert.equal(received.authorization, 'Bearer LIVE-AUTH');
+      assert.equal(received.cookie, 'session=LIVE-COOKIE');
+      assert.equal(received['proxy-authorization'], 'Bearer proxy-LIVE');
+      done();
+    });
+  });
+
+  it('should NOT re-inject Basic auth (options.auth) on cross-origin redirect', function(done) {
+    urllib.request('http://127.0.0.1:' + portA + '/start-cross', {
+      followRedirect: true,
+      auth: 'user:passwd',
+    }, function(err, data, res) {
+      assert(!err);
+      assert.equal(res.statusCode, 200);
+      var received = JSON.parse(data.toString());
+      assert.equal(received.authorization, undefined);
+      done();
+    });
+  });
+
+  it('should keep Basic auth (options.auth) on same-origin redirect', function(done) {
+    urllib.request('http://127.0.0.1:' + portA + '/start-same', {
+      followRedirect: true,
+      auth: 'user:passwd',
+    }, function(err, data, res) {
+      assert(!err);
+      assert.equal(res.statusCode, 200);
+      var received = JSON.parse(data.toString());
+      assert.equal(received.authorization, 'Basic ' + Buffer.from('user:passwd').toString('base64'));
+      done();
+    });
+  });
+});