fix: clear stale header on redirect when target is no-proxy#10794
fix: clear stale header on redirect when target is no-proxy#10794jasonsaayman merged 7 commits intov1.xfrom
Conversation
|
@cubic-dev-ai review again on the latest PR |
@jasonsaayman I have started the AI code review. It will take a few minutes to complete. |
There was a problem hiding this comment.
1 issue found across 2 files
Confidence score: 2/5
- There is a high-confidence, high-severity risk in
lib/adapters/http.js: case-sensitive header stripping can leaveproxy-authorizationvariants in place across redirects. - This can cause credential leakage behavior in redirect flows, so the current change is not yet low-risk to merge despite the small file scope.
- Pay close attention to
lib/adapters/http.js- make header removal case-insensitive so proxy auth headers are reliably cleared on redirects.
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="lib/adapters/http.js">
<violation number="1" location="lib/adapters/http.js:211">
P1: Header removal is case-sensitive, so stale `proxy-authorization` variants can survive redirects.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
|
@cubic-dev-ai review this again, check that we have no regressions or potential blind spots here |
@jasonsaayman I have started the AI code review. It will take a few minutes to complete. |
There was a problem hiding this comment.
1 issue found across 2 files
Confidence score: 4/5
- This PR is likely safe to merge, with minimal risk: the only issue is a test gap in
tests/unit/adapters/http.test.js, not a confirmed runtime defect in production code. - The NO_PROXY redirect test currently doesn’t validate the HTTPS bypass path as intended because
https_proxyis not kept set; this could let a proxy-bypass regression slip through undetected. - Given the moderate-low severity (4/10) and high confidence, this is a quality/coverage concern rather than a merge-blocking behavior break.
- Pay close attention to
tests/unit/adapters/http.test.js- ensure the NO_PROXY case keepshttps_proxyconfigured so the test truly proves bypass behavior.
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="tests/unit/adapters/http.test.js">
<violation number="1" location="tests/unit/adapters/http.test.js:2351">
P2: The NO_PROXY redirect test doesn't actually exercise the bypass path for HTTPS targets. Keep `https_proxy` set so the redirect uses a proxy URL and NO_PROXY is what clears it.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
|
@cubic-dev-ai review this one last time |
@jasonsaayman I have started the AI code review. It will take a few minutes to complete. |
There was a problem hiding this comment.
1 issue found across 2 files
Confidence score: 3/5
- There is a concrete regression risk in
lib/adapters/http.js:Proxy-Authorizationis being stripped on initial requests, not just during redirects, which can break proxy-authenticated requests. - Given the issue is medium severity (6/10) with fairly strong confidence (7/10), this introduces some user-facing risk and makes the merge less predictable without a fix.
- Pay close attention to
lib/adapters/http.js- header-stripping behavior should be limited to redirect handling so initial request credentials are preserved.
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="lib/adapters/http.js">
<violation number="1" location="lib/adapters/http.js:211">
P2: The new header-stripping logic runs on initial requests, so it removes user-supplied `Proxy-Authorization` even when not handling a redirect.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
|
@cubic-dev-ai please check one last time |
@jasonsaayman I have started the AI code review. It will take a few minutes to complete. |
Summary by cubic
Stops leaking
Proxy-Authorizationacross redirects by stripping it on redirected requests, then re-adding it only if the final proxy needs credentials. Covers no-proxy targets, different proxies, env-derived proxies,NO_PROXYbypasses, and case-insensitive header keys. Addresses AXI-197 and GHSA-j5f8-grm9-p9fc.Description
Proxy-AuthorizationinsetProxyonly on redirect; preserve user-supplied header on the initial request.NO_PROXYbypass./docs/proxy section to note the header is not carried across redirects; add a short security note.Testing
NO_PROXYbypass, redirect to a different proxy without credentials, hook withconfigProxy=false, preserving user-supplied header on the initial request, and case-insensitive stripping.Authorizationnorauthorizationleak attacker values.Written for commit d78e4ca. Summary will update on new commits.