cs_betty/paperclip
1
0
Fork 0
forked from farhoodlabs/paperclip
Code Pull Requests 1 Activity

fix(security): use manual redirects when PAT is attached

Browse Source 
Token-free requests follow redirects normally to support renamed/transferred
GitHub repos. Manual redirect policy is only needed when a PAT is attached,
to prevent the bearer token from being forwarded to attacker-controlled
redirect targets.
This commit is contained in:
Chris Farhood
2026-05-01 07:41:57 -04:00
parent 3dfb859676
commit d1d592d793
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
server/src/services/github-fetch.ts
+1 -1
View File
@@ -22,7 +22,7 @@ export async function ghFetch(url: string, init?: RequestInit, authToken?: strin
headers.set("Authorization", `Bearer ${authToken}`);
}
try {
return await fetch(url, { ...init, headers });
return await fetch(url, { ...init, headers, redirect: authToken ? "manual" : "follow" });
} catch {
throw unprocessable(`Could not connect to ${new URL(url).hostname} — ensure the URL points to a GitHub or GitHub Enterprise instance`);
}