Skip to content

APICLIENT-3136: security: strip Cookie on cross-origin redirect and use full-origin check#113

Open
MrRobotBaguette wants to merge 1 commit into
masterfrom
security/APICLIENT-3136-strip-cookie-cross-origin
Open

APICLIENT-3136: security: strip Cookie on cross-origin redirect and use full-origin check#113
MrRobotBaguette wants to merge 1 commit into
masterfrom
security/APICLIENT-3136-strip-cookie-cross-origin

Conversation

@MrRobotBaguette

Copy link
Copy Markdown

Summary

lib/redirect.js stripped the Authorization header on a cross-host redirect but never stripped Cookie, so a session cookie could be leaked to a different host on redirect. The host-change check also compared hostname only, ignoring port and scheme, so both Authorization and Cookie leaked across ports and on an HTTPS to HTTP downgrade.

Same vulnerability class as undici CVE-2023-45143 (cookie leak on cross-host redirect) and guzzle CVE-2022-31042 (cross-domain cookie/Authorization leak on redirect).

Fix

lib/redirect.js:

  • Broadened the origin check from hostname-only to full origin (protocol + hostname + port), so credentials drop on any cross-origin redirect, including port changes and scheme downgrades.
  • Strip the Cookie header on any cross-origin redirect, alongside the existing Authorization removal.
  • Clear the cached originalCookieHeader on cross-origin redirect so it is not re-prepended to the Cookie header on subsequent hops (Request.prototype.jar in request.js prepends it to every hop; clearing it here closes that path without duplicating the origin check).

Same-origin redirect behavior is unchanged. followAuthorizationHeader still opts back into retaining Authorization.

Risk / behavior change

Cookies and Authorization are now also dropped when only the port or scheme changes across a redirect (previously retained). Intentional and matches corrected security semantics.

Test plan

  • npx standard lib/redirect.js — no new warnings/errors (pre-existing no-var style warnings only).
  • Manual review: same-origin redirects retain headers; cross-origin (host, port, or scheme change) drop host, cookie, and (unless followAuthorizationHeader) authorization.

Linked Jira: APICLIENT-3136

Generated with Claude Code

…se full-origin check

Co-Authored-By: Claude <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant