From d1d592d793111272e2f87550c12b5dea5948345a Mon Sep 17 00:00:00 2001
From: Chris Farhood <chris@farhood.org>
Date: Fri, 1 May 2026 07:41:57 -0400
Subject: [PATCH] fix(security): use manual redirects when PAT is attached

Token-free requests follow redirects normally to support renamed/transferred
GitHub repos. Manual redirect policy is only needed when a PAT is attached,
to prevent the bearer token from being forwarded to attacker-controlled
redirect targets.
---
 server/src/services/github-fetch.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/src/services/github-fetch.ts b/server/src/services/github-fetch.ts
index e8f8aee5..c279ace5 100644
--- a/server/src/services/github-fetch.ts
+++ b/server/src/services/github-fetch.ts
@@ -22,7 +22,7 @@ export async function ghFetch(url: string, init?: RequestInit, authToken?: strin
     headers.set("Authorization", `Bearer ${authToken}`);
   }
   try {
-    return await fetch(url, { ...init, headers });
+    return await fetch(url, { ...init, headers, redirect: authToken ? "manual" : "follow" });
   } catch {
     throw unprocessable(`Could not connect to ${new URL(url).hostname} — ensure the URL points to a GitHub or GitHub Enterprise instance`);
   }