feat(http): add sensitive header removal on redirect (#1699)

* feat(http): add sensitive header removal on redirect

Signed-off-by: Gaius <gaius.qi@gmail.com>

* chore(deps): update dragonfly-client dependencies to 1.2.12

Signed-off-by: Gaius <gaius.qi@gmail.com>

---------

Signed-off-by: Gaius <gaius.qi@gmail.com>

Author: gaius-qi

Cargo.lock

@@ -13,7 +13,7 @@ members = [
 ]
 
 [workspace.package]
-version = "1.2.11"
+version = "1.2.12"
 authors = ["The Dragonfly Developers"]
 homepage = "https://d7y.io/"
 repository = "https://github.com/dragonflyoss/client.git"
@@ -23,14 +23,14 @@ readme = "README.md"
 edition = "2021"
 
 [workspace.dependencies]
-dragonfly-client = { path = "dragonfly-client", version = "1.2.11" }
-dragonfly-client-core = { path = "dragonfly-client-core", version = "1.2.11" }
-dragonfly-client-config = { path = "dragonfly-client-config", version = "1.2.11" }
-dragonfly-client-storage = { path = "dragonfly-client-storage", version = "1.2.11" }
-dragonfly-client-backend = { path = "dragonfly-client-backend", version = "1.2.11" }
-dragonfly-client-metric = { path = "dragonfly-client-metric", version = "1.2.11" }
-dragonfly-client-util = { path = "dragonfly-client-util", version = "1.2.11" }
-dragonfly-client-init = { path = "dragonfly-client-init", version = "1.2.11" }
+dragonfly-client = { path = "dragonfly-client", version = "1.2.12" }
+dragonfly-client-core = { path = "dragonfly-client-core", version = "1.2.12" }
+dragonfly-client-config = { path = "dragonfly-client-config", version = "1.2.12" }
+dragonfly-client-storage = { path = "dragonfly-client-storage", version = "1.2.12" }
+dragonfly-client-backend = { path = "dragonfly-client-backend", version = "1.2.12" }
+dragonfly-client-metric = { path = "dragonfly-client-metric", version = "1.2.12" }
+dragonfly-client-util = { path = "dragonfly-client-util", version = "1.2.12" }
+dragonfly-client-init = { path = "dragonfly-client-init", version = "1.2.12" }
 dragonfly-api = "=2.2.24"
 thiserror = "2.0"
 futures = "0.3.32"

Cargo.toml

@@ -44,7 +44,7 @@
 //!
 //! Authentication is handled through custom HTTP headers configured in the dfdaemon
 //! configuration file or passed directly in the request headers.
-//!
+
 use crate::{
     Backend, Body, ExistsRequest, GetRequest, GetResponse, PutRequest, PutResponse, StatRequest,
     StatResponse, DEFAULT_USER_AGENT, KEEP_ALIVE_INTERVAL, MAX_RETRY_TIMES, POOL_MAX_IDLE_PER_HOST,
@@ -74,6 +74,7 @@ use std::time::{Duration, Instant};
 use tokio::sync::Mutex;
 use tokio_util::io::StreamReader;
 use tracing::{debug, error, info, instrument};
+use url::Url;
 
 /// HTTP_SCHEME is the HTTP scheme.
 pub const HTTP_SCHEME: &str = "http";
@@ -311,7 +312,7 @@ impl HTTP {
     }
 
     /// Get the cached temporary redirect URL if exists and not expired.
-    async fn get_temporary_redirect_url(&self, url: &str) -> String {
+    async fn get_temporary_redirect_url(&self, url: &str) -> Option<String> {
         let mut temporary_redirects = self.temporary_redirects.lock().await;
         if let Some(entry) = temporary_redirects.get(url) {
             if entry.created_at + self.cache_temporary_redirect_ttl > Instant::now() {
@@ -320,14 +321,14 @@ impl HTTP {
                     url, entry.url
                 );
 
-                return entry.url.clone();
+                return Some(entry.url.clone());
             } else {
                 debug!("cached temporary redirect for {} expired", url);
                 temporary_redirects.pop(url);
             }
         }
 
-        url.to_string()
+        None
     }
 
     /// Store the temporary redirect URL in the cache.
@@ -380,30 +381,56 @@ impl Backend for HTTP {
         self.make_request_headers(&mut request_header, None)?;
 
         // Check if we have a cached temporary redirect for this URL.
-        let target_url = self.get_temporary_redirect_url(&request.url).await;
+        let (request_url, request_header) =
+            match self.get_temporary_redirect_url(&request.url).await {
+                Some(redirect_url) => {
+                    let mut redirect_headers = request_header.clone();
+                    remove_sensitive_headers(
+                        &mut redirect_headers,
+                        &redirect_url.parse()?,
+                        &request.url.parse()?,
+                    );
+
+                    (redirect_url, redirect_headers)
+                }
+                None => (request.url.clone(), request_header),
+            };
 
         // The signature in the signed URL generated by the object storage client will include
         // the request method. Therefore, the signed URL of the GET method cannot be requested
         // through the HEAD method. Use GET request to replace of HEAD request
         // to get header and status code.
         let response = match self
             .client(request.client_cert.clone(), self.enable_hickory_dns)?
-            .get(&target_url)
+            .get(&request_url)
             .headers(request_header.clone())
             .timeout(request.timeout)
             .send()
             .await
         {
             Ok(response) if response.status() == reqwest::StatusCode::TEMPORARY_REDIRECT => {
                 if let Some(location) = response.headers().get(LOCATION) {
-                    let target_url = location.to_str().or_err(ErrorType::ParseError)?;
-                    self.store_temporary_redirect_url(&request.url, target_url)
+                    let redirect_url = location.to_str().or_err(ErrorType::ParseError)?;
+                    debug!(
+                        "stat request got 307 Temporary Redirect, following redirect {} -> {}",
+                        request.url, redirect_url
+                    );
+
+                    self.store_temporary_redirect_url(&request.url, redirect_url)
                         .await;
 
+                    // Strips sensitive headers when following a cross-origin redirect.
+                    let mut redirect_headers = request_header.clone();
+                    remove_sensitive_headers(
+                        &mut redirect_headers,
+                        &redirect_url.parse()?,
+                        &request.url.parse()?,
+                    );
+
                     match self
                         .client(request.client_cert.clone(), self.enable_hickory_dns)?
-                        .get(target_url)
-                        .headers(request_header.clone())
+                        .get(redirect_url)
+                        .headers(redirect_headers)
                         .timeout(request.timeout)
                         .send()
                         .await
@@ -412,7 +439,7 @@ impl Backend for HTTP {
                         Err(err) => {
                             error!(
                                 "stat request failed {} {}: {}",
-                                request.task_id, target_url, err
+                                request.task_id, redirect_url, err
                             );
 
                             return Ok(StatResponse {
@@ -428,7 +455,7 @@ impl Backend for HTTP {
                 } else {
                     error!(
                         "stat request got 307 Temporary Redirect without Location header {} {}",
-                        request.task_id, target_url
+                        request.task_id, request_url
                     );
 
                     return Ok(StatResponse {
@@ -456,7 +483,7 @@ impl Backend for HTTP {
 
                 match self
                     .client(request.client_cert.clone(), self.enable_hickory_dns)?
-                    .head(&target_url)
+                    .head(&request_url)
                     .headers(request_header.clone())
                     .timeout(request.timeout)
                     .send()
@@ -466,7 +493,7 @@ impl Backend for HTTP {
                     Err(err) => {
                         error!(
                             "stat request failed with HEAD {} {}: {}",
-                            request.task_id, target_url, err
+                            request.task_id, request_url, err
                         );
 
                         return Ok(StatResponse {
@@ -484,7 +511,7 @@ impl Backend for HTTP {
             Err(err) => {
                 error!(
                     "stat request failed with GET {} {}: {}",
-                    request.task_id, target_url, err
+                    request.task_id, request_url, err
                 );
 
                 return Ok(StatResponse {
@@ -507,7 +534,7 @@ impl Backend for HTTP {
 
         debug!(
             "stat response {} {}: {:?} {:?} {:?}",
-            request.task_id, target_url, response_status_code, content_length, response_header
+            request.task_id, request_url, response_status_code, content_length, response_header
         );
 
         // Drop the response body to avoid reading it.
@@ -542,10 +569,24 @@ impl Backend for HTTP {
         self.make_request_headers(&mut request_header, request.range)?;
 
         // Check if we have a cached temporary redirect for this URL.
-        let target_url = self.get_temporary_redirect_url(&request.url).await;
+        let (request_url, request_header) =
+            match self.get_temporary_redirect_url(&request.url).await {
+                Some(redirect_url) => {
+                    let mut redirect_headers = request_header.clone();
+                    remove_sensitive_headers(
+                        &mut redirect_headers,
+                        &redirect_url.parse()?,
+                        &request.url.parse()?,
+                    );
+
+                    (redirect_url, redirect_headers)
+                }
+                None => (request.url.clone(), request_header),
+            };
+
         let mut response = match self
             .client(request.client_cert.clone(), self.enable_hickory_dns)?
-            .get(&target_url)
+            .get(&request_url)
             .headers(request_header.clone())
             .timeout(request.timeout)
             .send()
@@ -555,7 +596,7 @@ impl Backend for HTTP {
             Err(err) => {
                 error!(
                     "get request failed {} {} {}: {}",
-                    request.task_id, request.piece_id, target_url, err
+                    request.task_id, request.piece_id, request_url, err
                 );
 
                 return Ok(GetResponse {
@@ -571,14 +612,27 @@ impl Backend for HTTP {
         // If the response is a 307 Temporary Redirect, follow the redirect manually.
         if response.status() == reqwest::StatusCode::TEMPORARY_REDIRECT {
             if let Some(location) = response.headers().get(LOCATION) {
-                let target_url = location.to_str().or_err(ErrorType::ParseError)?;
-                self.store_temporary_redirect_url(&request.url, target_url)
+                let redirect_url = location.to_str().or_err(ErrorType::ParseError)?;
+                debug!(
+                    "get request got 307 Temporary Redirect, following redirect {} -> {}",
+                    request.url, redirect_url
+                );
+
+                self.store_temporary_redirect_url(&request.url, redirect_url)
                     .await;
 
+                // Strips sensitive headers when following a cross-origin redirect.
+                let mut redirect_headers = request_header.clone();
+                remove_sensitive_headers(
+                    &mut redirect_headers,
+                    &redirect_url.parse()?,
+                    &request.url.parse()?,
+                );
+
                 response = match self
                     .client(request.client_cert.clone(), self.enable_hickory_dns)?
-                    .get(target_url)
-                    .headers(request_header.clone())
+                    .get(redirect_url)
+                    .headers(redirect_headers)
                     .timeout(request.timeout)
                     .send()
                     .await
@@ -587,7 +641,7 @@ impl Backend for HTTP {
                     Err(err) => {
                         error!(
                             "get request failed {} {} {}: {}",
-                            request.task_id, request.piece_id, target_url, err
+                            request.task_id, request.piece_id, redirect_url, err
                         );
 
                         return Ok(GetResponse {
@@ -717,6 +771,25 @@ impl Backend for HTTP {
     }
 }
 
+/// Strips sensitive headers when following a cross-origin redirect.
+///
+/// This replicates the behavior of reqwest's internal `remove_sensitive_headers`:
+/// https://github.com/seanmonstar/reqwest/blob/v0.12.15/src/redirect.rs#L134
+///
+/// Per RFC 9110 §15.4, user agents SHOULD strip credentials when redirecting
+/// to a different origin.
+fn remove_sensitive_headers(headers: &mut HeaderMap, next: &Url, previous: &Url) {
+    if next.host() != previous.host()
+        || next.port_or_known_default() != previous.port_or_known_default()
+    {
+        headers.remove(reqwest::header::AUTHORIZATION);
+        headers.remove(reqwest::header::COOKIE);
+        headers.remove("cookie2");
+        headers.remove(reqwest::header::PROXY_AUTHORIZATION);
+        headers.remove(reqwest::header::WWW_AUTHENTICATE);
+    }
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;