fix: Limit token auth to configured hosts#4363
Conversation
a490280 to
c9400ae
Compare
alexandear
left a comment
There was a problem hiding this comment.
Could you create an issue first with the problem you're trying to resolve, and once we've confirmed it, we can proceed with a review?
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #4363 +/- ##
==========================================
- Coverage 97.51% 97.47% -0.04%
==========================================
Files 193 193
Lines 19519 19549 +30
==========================================
+ Hits 19033 19055 +22
- Misses 269 275 +6
- Partials 217 219 +2 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
|
Thanks for the guidance. I opened an issue describing the behavior this PR addresses: I also added focused coverage for the host-boundary helper and the configured-host authorization behavior. I’m happy to adjust the PR based on the maintainers’ preferred direction. |
gmlewis
left a comment
There was a problem hiding this comment.
Thank you, @huynhtrungcsc.
I understand that this is a hypothetical situation and has not been reported as an actual problem "in the wild" but I also understand that with the increased proliferation of "vibe coding" and not properly understanding how to use packages, that this kind of change will help reduce the possibility of users of this package from shooting themselves in the foot.
LGTM.
Awaiting second LGTM+Approval from any other contributor to this repo before merging.
|
@huynhtrungcsc please update the PR's description with "Fixes #4366" and remove the unnecessary "Tests" section. |
|
Updated the PR description to include "Fixes #4366" and removed the Tests section. Thank you. |
alexandear
left a comment
There was a problem hiding this comment.
It looks like this PR was created with AI assistance, so I reviewed it with AI as well. Here's what I found:
-
github/github.go:638 — Clone() silently loses authentication (CONFIRMED, reproduced). The token closure captures c and checks the original client's URLs; Clone at github.go:783 copies the wrapped transport without re-binding it. NewClient(WithAuthToken(...)).Clone(WithEnterpriseURLs(...)) — a pattern that worked before this change — now sends every request unauthenticated. This is the must-fix.
-
github/github.go:723 — no default-port normalization (CONFIRMED). https://ghe.corp:443/ in config vs https://ghe.corp/... in a request URL (same RFC 6454 origin) fails the match and drops the token deterministically.
-
github/github.go:718 — three divergent boundary predicates (CONFIRMED). sameOrigin (scheme+host, case-insensitive) vs bareDoUntilFound:1391 and checkRedirectHost:2182 (host-only, case-sensitive). Concrete effect: a same-host https→http redirect is followed but not authenticated — no data, no error. Consolidate into one shared predicate.
-
github/repos_contents.go:200 — DownloadContents on private repos (PLAUSIBLE). The download_url fetch (raw.githubusercontent.com / GHES raw host) goes through the token transport and now loses the header; usually rescued by the embedded ?token=, but worth a deliberate decision and a test whose fake download_url is cross-origin.
-
github/repos_releases.go:328 — DownloadReleaseAsset + client.Client() (PLAUSIBLE). The documented private-repo pattern no longer authenticates cross-host redirect targets. A fix for github.com's pre-signed S3 URLs, a possible regression for GHES storage topologies.
-
github/github.go:258 — stale docs/comments (CONFIRMED). Client(), WithAuthToken (:436), and the bareDoUntilFound rationale comment (:1389) all still describe unconditional token attachment.
-
github/github.go:636 — wasted work in the hot path (cleanup). Early-exit before req.Clone, and hoist the "Bearer "+token string out of the closure.
-
github/github_test.go:714 — redundant tests / dead nil checks (cleanup). Fold TestSameOrigin's two unique cases into TestClientShouldAuthorizeRequest and drop the unreachable nil branches.
Findings 1–3 all point at one design question worth settling before merging: should the closure capture resolved URL values, or should the origin check live at a client level (e.g. in BareDo) where the correct client — including clones — is always in hand? Fixing it there resolves the Clone bug and gives the redirect guards a single predicate to share.
…ary' into fix-auth-token-host-boundary
|
Thanks for the detailed review. I addressed the confirmed regression and consistency issues in the latest push:
I left the DownloadContents / DownloadReleaseAsset cases unchanged in this PR because those are broader product-behavior decisions around cross-origin GitHub/GHES download URLs. I’m happy to follow the maintainers’ preferred direction there if you want this PR to cover those paths too. Verified locally with: go test ./github -run "TestWithAuthToken|TestShouldAuthorizeURL|TestBareDoUntilFound_RejectsCrossOriginRedirect|TestRoundTripWithOptionalFollowRedirect_RejectsCrossOriginRedirect" -count=1
go test ./... -count=1 |
gmlewis
left a comment
There was a problem hiding this comment.
Same comment here about your code coverage dropping. Please fix.
Summary
WithAuthTokencredentials to requests for the configured API or upload hosts.Fixes #4366