Clear Authorization header when redirecting cross-site (#183)

kyoshidajp · iMacTia · commit a46ae1a7a7c2 · 2019-02-04T12:31:53.000Z
diff --git a/lib/faraday_middleware/response/follow_redirects.rb b/lib/faraday_middleware/response/follow_redirects.rb
@@ -45,15 +45,24 @@ class FollowRedirects < Faraday::Middleware
     # the "%" character which we assume already represents an escaped sequence.
     URI_UNSAFE = /[^\-_.!~*'()a-zA-Z\d;\/?:@&=+$,\[\]%]/
 
+    AUTH_HEADER = 'Authorization'.freeze
+
     # Public: Initialize the middleware.
     #
     # options - An options Hash (default: {}):
-    #           :limit               - A Numeric redirect limit (default: 3)
-    #           :standards_compliant - A Boolean indicating whether to respect
+    #     :limit                      - A Numeric redirect limit (default: 3)
+    #     :standards_compliant        - A Boolean indicating whether to respect
     #                                  the HTTP spec when following 301/302
     #                                  (default: false)
-    #           :callback            - A callable that will be called on redirects
+    #     :callback                   - A callable that will be called on redirects
     #                                  with the old and new envs
+    #     :cookies                    - An Array of Strings (e.g.
+    #                                  ['cookie1', 'cookie2']) to choose
+    #                                  cookies to be kept, or :all to keep
+    #                                  all cookies (default: []).
+    #     :clear_authorization_header - A Boolean indicating whether the request
+    #                                  Authorization header should be cleared on
+    #                                  redirects (default: true)
     def initialize(app, options = {})
       super(app)
       @options = options
@@ -89,7 +98,9 @@ def perform_with_redirection(env, follows)
     end
 
     def update_env(env, request_body, response)
-      env[:url] += safe_escape(response['location'] || '')
+      redirect_from_url = env[:url].to_s
+      redirect_to_url = safe_escape(response['location'] || '')
+      env[:url] += redirect_to_url
 
       if convert_to_get?(response)
         env[:method] = :get
@@ -98,6 +109,8 @@ def update_env(env, request_body, response)
         env[:body] = request_body
       end
 
+      clear_authorization_header(env, redirect_from_url, redirect_to_url)
+
       ENV_TO_CLEAR.each {|key| env.delete key }
 
       env
@@ -130,5 +143,21 @@ def safe_escape(uri)
         '%' + match.unpack('H2' * match.bytesize).join('%').upcase
       }
     end
+
+    def clear_authorization_header(env, from_url, to_url)
+      return env if redirect_to_same_host?(from_url, to_url)
+      return env unless @options.fetch(:clear_authorization_header, true)
+
+      env[:request_headers].delete(AUTH_HEADER)
+    end
+
+    def redirect_to_same_host?(from_url, to_url)
+      return true if to_url.start_with?('/')
+
+      from_uri = URI.parse(from_url)
+      to_uri = URI.parse(to_url)
+
+      [from_uri.scheme, from_uri.host, from_uri.port] == [to_uri.scheme, to_uri.host, to_uri.port]
+    end
   end
 end
diff --git a/spec/unit/follow_redirects_spec.rb b/spec/unit/follow_redirects_spec.rb
@@ -164,6 +164,118 @@
     end
   end
 
+  context "when clear_authorization_header option" do
+    context "is false" do
+      it "redirects with the original authorization headers" do
+        conn = connection(:clear_authorization_header => false) do |stub|
+          stub.get('/redirect') {
+            [301, {'Location' => '/found'}, '']
+          }
+          stub.get('/found') { |env|
+            [200, {'Content-Type' => 'text/plain'}, env[:request_headers]['Authorization']]
+          }
+        end
+        response = conn.get('/redirect') { |req|
+          req.headers['Authorization'] = 'success'
+        }
+
+        expect(response.body).to eq 'success'
+      end
+    end
+
+    context "is true" do
+      context "redirect to same host" do
+        it "redirects with the original authorization headers" do
+          conn = connection do |stub|
+            stub.get('http://localhost/redirect') do
+              [301, {'Location' => '/found'}, '']
+            end
+            stub.get('http://localhost/found') do |env|
+              [200, {}, env.request_headers["Authorization"]]
+            end
+          end
+          response = conn.get('http://localhost/redirect') do |req|
+            req.headers['Authorization'] = 'success'
+          end
+
+          expect(response.body).to eq 'success'
+        end
+      end
+
+      context "redirect to same host with explicitly port" do
+        it "redirects with the original authorization headers" do
+          conn = connection do |stub|
+            stub.get('http://localhost/redirect') do
+              [301, {'Location' => 'http://localhost:80/found'}, '']
+            end
+            stub.get('http://localhost/found') do |env|
+              [200, {}, env.request_headers["Authorization"]]
+            end
+          end
+          response = conn.get('http://localhost/redirect') { |req|
+            req.headers['Authorization'] = 'success'
+          }
+
+          expect(response.body).to eq 'success'
+        end
+      end
+
+      context "redirect to different scheme" do
+        it "redirects without original authorization headers" do
+          conn = connection do |stub|
+            stub.get('http://localhost/redirect') do
+              [301, {'Location' => 'https://localhost2/found'}, '']
+            end
+            stub.get('https://localhost2/found') do |env|
+              [200, {}, env.request_headers["Authorization"]]
+            end
+          end
+          response = conn.get('http://localhost/redirect') { |req|
+            req.headers['Authorization'] = 'failed'
+          }
+
+          expect(response.body).to eq nil
+        end
+      end
+
+      context "redirect to different host" do
+        it "redirects without original authorization headers" do
+          conn = connection do |stub|
+            stub.get('http://localhost/redirect') do
+              [301, {'Location' => 'http://localhost2/found'}, '']
+            end
+            stub.get('https://localhost2/found') do |env|
+              [200, {}, env.request_headers["Authorization"]]
+            end
+          end
+          response = conn.get('http://localhost/redirect') { |req|
+            req.headers['Authorization'] = 'failed'
+          }
+
+          expect(response.body).to eq nil
+        end
+      end
+
+      context "redirect to different port" do
+        it "redirects without original authorization headers" do
+          conn = connection do |stub|
+            stub.get('http://localhost:9090/redirect') do
+              [301, {'Location' => 'http://localhost:9091/found'}, '']
+            end
+            stub.get('http://localhost:9091/found') do |env|
+              [200, {}, env.request_headers["Authorization"]]
+            end
+          end
+          response = conn.get('http://localhost:9090/redirect') { |req|
+            req.headers['Authorization'] = 'failed'
+          }
+
+          expect(response.body).to eq nil
+        end
+      end
+    end
+  end
+
   [301, 302].each do |code|
     context "for an HTTP #{code} response" do
       it_behaves_like 'a successful redirection', code
