Merge pull request from GHSA-3787-6prv-h9w3

Signed-off-by: Matteo Collina <hello@matteocollina.com>
nodejs · Feb 5, 2024 · d3aa574 · d3aa574
1 parent 9a14e5f
commit d3aa574
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 2 deletions .
diff --git a/lib/fetch/index.js b/lib/fetch/index.js
@@ -1203,6 +1203,9 @@ function httpRedirectFetch (fetchParams, response) {
     // https://fetch.spec.whatwg.org/#cors-non-wildcard-request-header-name
     request
.
headersList
.
delete
(
'authorization'
)
 
+    // https://fetch.spec.whatwg.org/#authentication-entries
+    request
.
headersList
.
delete
(
'proxy-authorization'
,
 true
)
+
     // "Cookie" and "Host" are forbidden request-headers, which undici doesn't implement.
     request
.
headersList
.
delete
(
'cookie'
)
     request
.
headersList
.
delete
(
'host'
)

diff --git a/test/fetch/redirect-cross-origin-header.js b/test/fetch/redirect-cross-origin-header.js
@@ -6,11 +6,12 @@ const { once } = require('events')
 const
 {
 fetch 
}
 =
 require
(
'../..'
)
 
 test
(
'Cross-origin redirects clear forbidden headers'
,
 async
 (
t
)
 =>
 {
-  t
.
plan
(
5
)
+  t
.
plan
(
6
)
 
   const
 server1
 =
 createServer
(
(
req
,
 res
)
 =>
 {
     t
.
equal
(
req
.
headers
.
cookie
,
 undefined
)
     t
.
equal
(
req
.
headers
.
authorization
,
 undefined
)
+    t
.
equal
(
req
.
headers
[
'proxy-authorization'
]
,
 undefined
)
 
     res
.
end
(
'redirected'
)
   }
)
.
listen
(
0
)
@@ -39,7 +40,8 @@ test('Cross-origin redirects clear forbidden headers', async (t) => {
   const
 res
 =
 await
 fetch
(
`http://localhost:
${
server2
.
address
(
)
.
port
}
`
,
 {
     headers
: 
{
       Authorization
: 
'test'
,
-      Cookie
: 
'ddd=dddd'
+      Cookie
: 
'ddd=dddd'
,
+      'Proxy-Authorization'
: 
'test'
     }
   }
)