From 7456255cd10286d71363fc024e51b2662790448a Mon Sep 17 00:00:00 2001
From: Espen Hovlandsdal <espen@hovlandsdal.com>
Date: Mon, 25 Nov 2024 10:07:00 -0800
Subject: [PATCH] Merge commit from fork
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* fix: drop auth headers, cookies on redirect to different origin

* refactor: destructure StringPrototypeEndsWith

---------

Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com>
---
 ext/fetch/26_fetch.js    | 46 ++++++++++++++++++++++++++++++++++-
 tests/unit/fetch_test.ts | 52 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 97 insertions(+), 1 deletion(-)

diff --git a/ext/fetch/26_fetch.js b/ext/fetch/26_fetch.js
index 01be983a37..3a77f6075e 100644
--- a/ext/fetch/26_fetch.js
+++ b/ext/fetch/26_fetch.js
@@ -31,6 +31,7 @@ const {
   SafeArrayIterator,
   SafePromisePrototypeFinally,
   String,
+  StringPrototypeEndsWith,
   StringPrototypeSlice,
   StringPrototypeStartsWith,
   StringPrototypeToLowerCase,
@@ -66,6 +67,12 @@ const REQUEST_BODY_HEADER_NAMES = [
   "content-type",
 ];
 
+const REDIRECT_SENSITIVE_HEADER_NAMES = [
+  "authorization",
+  "proxy-authorization",
+  "cookie",
+];
+
 /**
  * @param {number} rid
  * @returns {Promise<{ status: number, statusText: string, headers: [string, string][], url: string, responseRid: number, error: [string, string]? }>}
@@ -253,12 +260,14 @@ function httpRedirectFetch(request, response, terminator) {
   if (locationHeaders.length === 0) {
     return response;
   }
+
+  const currentURL = new URL(request.currentUrl());
   const locationURL = new URL(
     locationHeaders[0][1],
     response.url() ?? undefined,
   );
   if (locationURL.hash === "") {
-    locationURL.hash = request.currentUrl().hash;
+    locationURL.hash = currentURL.hash;
   }
   if (locationURL.protocol !== "https:" && locationURL.protocol !== "http:") {
     return networkError("Can not redirect to a non HTTP(s) url");
@@ -297,6 +306,28 @@ function httpRedirectFetch(request, response, terminator) {
       }
     }
   }
+
+  // Drop confidential headers when redirecting to a less secure protocol
+  // or to a different domain that is not a superdomain
+  if (
+    locationURL.protocol !== currentURL.protocol &&
+      locationURL.protocol !== "https:" ||
+    locationURL.host !== currentURL.host &&
+      !isSubdomain(locationURL.host, currentURL.host)
+  ) {
+    for (let i = 0; i < request.headerList.length; i++) {
+      if (
+        ArrayPrototypeIncludes(
+          REDIRECT_SENSITIVE_HEADER_NAMES,
+          byteLowerCase(request.headerList[i][0]),
+        )
+      ) {
+        ArrayPrototypeSplice(request.headerList, i, 1);
+        i--;
+      }
+    }
+  }
+
   if (request.body !== null) {
     const res = extractBody(request.body.source);
     request.body = res.body;
@@ -470,6 +501,19 @@ function abortFetch(request, responseObject, error) {
   return error;
 }
 
+/**
+ * Checks if the given string is a subdomain of the given domain.
+ *
+ * @param {String} subdomain
+ * @param {String} domain
+ * @returns {Boolean}
+ */
+function isSubdomain(subdomain, domain) {
+  const dot = subdomain.length - domain.length - 1;
+  return dot > 0 && subdomain[dot] === "." &&
+    StringPrototypeEndsWith(subdomain, domain);
+}
+
 /**
  * Handle the Response argument to the WebAssembly streaming APIs, after
  * resolving if it was passed as a promise. This function should be registered
diff --git a/tests/unit/fetch_test.ts b/tests/unit/fetch_test.ts
index 6d3fd8cc1d..298a266903 100644
--- a/tests/unit/fetch_test.ts
+++ b/tests/unit/fetch_test.ts
@@ -439,6 +439,58 @@ Deno.test(
   },
 );
 
+Deno.test(
+  {
+    permissions: { net: true },
+  },
+  async function fetchWithAuthorizationHeaderRedirection() {
+    const response = await fetch("http://localhost:4546/echo_server", {
+      headers: { authorization: "Bearer foo" },
+    });
+    assertEquals(response.status, 200);
+    assertEquals(response.statusText, "OK");
+    assertEquals(response.url, "http://localhost:4545/echo_server");
+    assertEquals(response.headers.get("authorization"), null);
+    assertEquals(await response.text(), "");
+  },
+);
+
+Deno.test(
+  {
+    permissions: { net: true },
+  },
+  async function fetchWithCookieHeaderRedirection() {
+    const response = await fetch("http://localhost:4546/echo_server", {
+      headers: { Cookie: "sessionToken=verySecret" },
+    });
+    assertEquals(response.status, 200);
+    assertEquals(response.statusText, "OK");
+    assertEquals(response.url, "http://localhost:4545/echo_server");
+    assertEquals(response.headers.get("cookie"), null);
+    assertEquals(await response.text(), "");
+  },
+);
+
+Deno.test(
+  {
+    permissions: { net: true },
+  },
+  async function fetchWithProxyAuthorizationHeaderRedirection() {
+    const response = await fetch("http://localhost:4546/echo_server", {
+      headers: {
+        "proxy-authorization": "Basic ZXNwZW46a29rb3M=",
+        "accept": "application/json",
+      },
+    });
+    assertEquals(response.status, 200);
+    assertEquals(response.statusText, "OK");
+    assertEquals(response.url, "http://localhost:4545/echo_server");
+    assertEquals(response.headers.get("proxy-authorization"), null);
+    assertEquals(response.headers.get("accept"), "application/json");
+    assertEquals(await response.text(), "");
+  },
+);
+
 Deno.test(
   { permissions: { net: true } },
   async function fetchInitStringBody() {