From b9da3e40f1f096a06b4caedbb27c2568730434ef Mon Sep 17 00:00:00 2001 From: Matteo Collina Date: Mon, 5 Feb 2024 09:35:32 +0100 Subject: [PATCH] Merge pull request from GHSA-3787-6prv-h9w3 Signed-off-by: Matteo Collina --- lib/fetch/index.js | 3 +++ test/fetch/redirect-cross-origin-header.js | 6 ++++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/lib/fetch/index.js b/lib/fetch/index.js index 9693782552f..a3d02271d7b 100644 --- a/lib/fetch/index.js +++ b/lib/fetch/index.js @@ -1326,6 +1326,9 @@ function httpRedirectFetch (fetchParams, response) { // https://fetch.spec.whatwg.org/#cors-non-wildcard-request-header-name request.headersList.delete('authorization', true) + // https://fetch.spec.whatwg.org/#authentication-entries + request.headersList.delete('proxy-authorization', true) + // "Cookie" and "Host" are forbidden request-headers, which undici doesn't implement. request.headersList.delete('cookie', true) request.headersList.delete('host', true) diff --git a/test/fetch/redirect-cross-origin-header.js b/test/fetch/redirect-cross-origin-header.js index 5c1d91c9924..3756c22d417 100644 --- a/test/fetch/redirect-cross-origin-header.js +++ b/test/fetch/redirect-cross-origin-header.js @@ -7,11 +7,12 @@ const { once } = require('node:events') const { fetch } = require('../..') test('Cross-origin redirects clear forbidden headers', async (t) => { - const { strictEqual } = tspl(t, { plan: 5 }) + const { strictEqual } = tspl(t, { plan: 6 }) const server1 = createServer((req, res) => { strictEqual(req.headers.cookie, undefined) strictEqual(req.headers.authorization, undefined) + strictEqual(req.headers['proxy-authorization'], undefined) res.end('redirected') }).listen(0) @@ -40,7 +41,8 @@ test('Cross-origin redirects clear forbidden headers', async (t) => { const res = await fetch(`http://localhost:${server2.address().port}`, { headers: { Authorization: 'test', - Cookie: 'ddd=dddd' + Cookie: 'ddd=dddd', + 'Proxy-Authorization': 'test' } })