Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Don't send Authorization headers to third-party services. #562

Merged
merged 1 commit into from
Feb 6, 2024

Conversation

korran
Copy link
Contributor

@korran korran commented Feb 5, 2024

We may have been directed away from github.com (via follow_location_to_data()), and for security reasons it's important that we don't leak our GitHub credentials.

If an artifact is uploaded with actions/upload-artifact@v4, calls may be redirected to a URL starting with
https://productionresultssa0.blob.core.windows.net/. Requests made to download that file will be rejected if they contain an Authorization header.

We may have been directed away from github.com (via
follow_location_to_data()), and for security reasons it's important that
we don't leak our GitHub credentials.

If an artifact is uploaded with actions/upload-artifact@v4, calls may be
redirected to a URL starting with
https://productionresultssa0.blob.core.windows.net/. Requests made to
download that file will be rejected if they contain an Authorization
header.
korran added a commit to korran/caliptra-sw that referenced this pull request Feb 5, 2024
GitHub's API is now redirecting requests to download GHA artifacts
to https://productionresultssa0.blob.core.windows.net/. This service
rejects requests that contain an Authorization header, breaking our
publish-website.yml workflow. octocrab should not be sending this header
when redirected, and I have file
XAMPPRocky/octocrab#562 to address the bug.

Until that PR is merged, we can work around this issue by enabling the
"follow-redirect" feature, which configures the tower middleware to
handling the redirect instead of octocrab, which (correctly) doesn't
include the authentication header in the redirected requests.
korran added a commit to korran/caliptra-sw that referenced this pull request Feb 5, 2024
GitHub's API is now redirecting requests to download GHA artifacts
to https://productionresultssa0.blob.core.windows.net/. This service
rejects requests that contain an Authorization header, breaking our
publish-website.yml workflow. octocrab should not be sending this header
when redirected, and I have file
XAMPPRocky/octocrab#562 to address the bug.

Until that PR is merged, we can work around this issue by enabling the
"follow-redirect" feature, which configures the tower middleware to
handle the redirect instead of octocrab, which (correctly) doesn't
include the authentication header in the redirected requests.
korran added a commit to korran/caliptra-sw that referenced this pull request Feb 5, 2024
GitHub's API is now redirecting requests to download GHA artifacts
to https://productionresultssa0.blob.core.windows.net/. This service
rejects requests that contain an Authorization header, breaking our
publish-website.yml workflow. octocrab should not be sending this header
when redirected, and I have filed
XAMPPRocky/octocrab#562 to address the bug.

Until that PR is merged, we can work around this issue by enabling
octocrab's "follow-redirect" feature, which configures the tower
middleware to handle the redirect instead of octocrab, which (correctly)
doesn't include the authentication header in the redirected requests.
korran added a commit to chipsalliance/caliptra-sw that referenced this pull request Feb 6, 2024
GitHub's API is now redirecting requests to download GHA artifacts
to https://productionresultssa0.blob.core.windows.net/. This service
rejects requests that contain an Authorization header, breaking our
publish-website.yml workflow. octocrab should not be sending this header
when redirected, and I have filed
XAMPPRocky/octocrab#562 to address the bug.

Until that PR is merged, we can work around this issue by enabling
octocrab's "follow-redirect" feature, which configures the tower
middleware to handle the redirect instead of octocrab, which (correctly)
doesn't include the authentication header in the redirected requests.
@XAMPPRocky
Copy link
Owner

Thank you for your PR!

@XAMPPRocky XAMPPRocky merged commit 3ce474a into XAMPPRocky:main Feb 6, 2024
10 checks passed
@github-actions github-actions bot mentioned this pull request Feb 6, 2024
kageiit added a commit to kageiit/octocrab that referenced this pull request Mar 4, 2024
dmgorsky pushed a commit to dmgorsky/octocrab that referenced this pull request Mar 6, 2024
XAMPPRocky pushed a commit that referenced this pull request Mar 7, 2024
* added /repos/{owner}/{repo}/check-suites

* added /repos/{owner}/{repo}/check-suites/preferences

* added /repos/{owner}/{repo}/check-suites/{check_suite_id}

* added rerequest check [run/suite]

* added 'list check run annotations'

* added "List check suites for a Git reference"

* added query parameters

* fixed `cargo fmt --all`

* fixed timeout methods not being feature gated (#519)

* fixed timeout methods not being feature gated

* removed the `timeout` feature gate as requested

* Revert "removed the `timeout` feature gate as requested"

This reverts commit 6024850.

* chore: release (#520)

* Added a test for `repos().is_collaborator()`. The 204 case is good! (#553)

* Resolving issue with deleting reactions from issues. (#555)

* Resolving issue with deleting reactions from issues.
Issue: manchicken#182

* Reverting changes to CHANGELOG.md since that's automated.

* chore: release (#554)

Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Tests for locking and unlocking issue comments (#557)

* Handle redirects in ReleasesHandler::stream_asset(). (#556)

* chore: release (#558)

* Added tests for `repos().merges()` (#560)

* Don't send Authorization headers to third-party services. (#562)

* chore: release (#561)

* Upgrade http/hyper 1.0 (#564)

* chore: release (#565)

* Fixed `issues().delete_comment_reaction()` (#566)

- Added a test for 204 and 500 cases
- Fixed broken functionality in the 204 case.

* Adding test for `issues().delete_comment()` (#569)

* Added tests to prove `repos().secrets().delete_secret()` (#570)

- Added test for 204 case
- Added test for 500 case

* chore: release (#567)

Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Added a test (#577)

- Update case of `repos().secrets().create_or_update_secret()` test added

* Added some more tests (#578)

- `repos().issues().check_assignee()`
  - Covers 204 case
  - Covers 404 case
  - Covers 500 case

* Fixing the test that `[email protected]` breaks. (#579)

- Updated wiremock to 0.6.0
- Fixed the one test broken by the update

* Fixing `snafu` version update (#580)

* Adding test for actions().actions_delete_workflow_run_logs_test() (#584)

* Added more tests, for `repos().delete()` (#585)

* Fixed the `projects().delete_project().send() function (#587)

* Adding tests for `actions().remove_selected_repo_from_org_secret()` (#586)

* Add Public and Release events (#589)

* Update base64 requirement from 0.21.0 to 0.22.0 (#592)

Updates the requirements on [base64](https://github.com/marshallpierce/rust-base64) to permit the latest version.
- [Changelog](https://github.com/marshallpierce/rust-base64/blob/master/RELEASE-NOTES.md)
- [Commits](marshallpierce/rust-base64@v0.21.2...v0.22.0)

---
updated-dependencies:
- dependency-name: base64
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: release (#581)

Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Adding tests to `orgs().secrets().create_or_update_secret()` (#590)

- Added 204 case

* Add delete_ref in RepoHandler (#573)

Fixes: #572

* chore: release (#593)

Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* rebased to actual; fixed Response<Body>

* added /repos/{owner}/{repo}/check-suites

* added /repos/{owner}/{repo}/check-suites/preferences

* added /repos/{owner}/{repo}/check-suites/{check_suite_id}

* added rerequest check [run/suite]

* added 'list check run annotations'

* added "List check suites for a Git reference"

* added query parameters

* fixed `cargo fmt --all`

* rebased to actual; fixed Response<Body>

---------

Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: Frank Elsinga <[email protected]>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Mike Stemle <[email protected]>
Co-authored-by: Kor Nielsen <[email protected]>
Co-authored-by: Kor Nielsen <[email protected]>
Co-authored-by: Toru Ogawa <[email protected]>
Co-authored-by: Evan Graham <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Tobias Nießen <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants