Don't send Authorization headers to third-party services. #562
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
We may have been directed away from github.com (via follow_location_to_data()), and for security reasons it's important that we don't leak our GitHub credentials. If an artifact is uploaded with actions/upload-artifact@v4, calls may be redirected to a URL starting with https://productionresultssa0.blob.core.windows.net/. Requests made to download that file will be rejected if they contain an Authorization header.
korran
added a commit
to korran/caliptra-sw
that referenced
this pull request
Feb 5, 2024
GitHub's API is now redirecting requests to download GHA artifacts to https://productionresultssa0.blob.core.windows.net/. This service rejects requests that contain an Authorization header, breaking our publish-website.yml workflow. octocrab should not be sending this header when redirected, and I have file XAMPPRocky/octocrab#562 to address the bug. Until that PR is merged, we can work around this issue by enabling the "follow-redirect" feature, which configures the tower middleware to handling the redirect instead of octocrab, which (correctly) doesn't include the authentication header in the redirected requests.
korran
added a commit
to korran/caliptra-sw
that referenced
this pull request
Feb 5, 2024
GitHub's API is now redirecting requests to download GHA artifacts to https://productionresultssa0.blob.core.windows.net/. This service rejects requests that contain an Authorization header, breaking our publish-website.yml workflow. octocrab should not be sending this header when redirected, and I have file XAMPPRocky/octocrab#562 to address the bug. Until that PR is merged, we can work around this issue by enabling the "follow-redirect" feature, which configures the tower middleware to handle the redirect instead of octocrab, which (correctly) doesn't include the authentication header in the redirected requests.
korran
added a commit
to korran/caliptra-sw
that referenced
this pull request
Feb 5, 2024
GitHub's API is now redirecting requests to download GHA artifacts to https://productionresultssa0.blob.core.windows.net/. This service rejects requests that contain an Authorization header, breaking our publish-website.yml workflow. octocrab should not be sending this header when redirected, and I have filed XAMPPRocky/octocrab#562 to address the bug. Until that PR is merged, we can work around this issue by enabling octocrab's "follow-redirect" feature, which configures the tower middleware to handle the redirect instead of octocrab, which (correctly) doesn't include the authentication header in the redirected requests.
korran
added a commit
to chipsalliance/caliptra-sw
that referenced
this pull request
Feb 6, 2024
GitHub's API is now redirecting requests to download GHA artifacts to https://productionresultssa0.blob.core.windows.net/. This service rejects requests that contain an Authorization header, breaking our publish-website.yml workflow. octocrab should not be sending this header when redirected, and I have filed XAMPPRocky/octocrab#562 to address the bug. Until that PR is merged, we can work around this issue by enabling octocrab's "follow-redirect" feature, which configures the tower middleware to handle the redirect instead of octocrab, which (correctly) doesn't include the authentication header in the redirected requests.
|
Thank you for your PR! |
Merged
kageiit
added a commit
to kageiit/octocrab
that referenced
this pull request
Mar 4, 2024
dmgorsky
pushed a commit
to dmgorsky/octocrab
that referenced
this pull request
Mar 6, 2024
XAMPPRocky
pushed a commit
that referenced
this pull request
Mar 7, 2024
* added /repos/{owner}/{repo}/check-suites
* added /repos/{owner}/{repo}/check-suites/preferences
* added /repos/{owner}/{repo}/check-suites/{check_suite_id}
* added rerequest check [run/suite]
* added 'list check run annotations'
* added "List check suites for a Git reference"
* added query parameters
* fixed `cargo fmt --all`
* fixed timeout methods not being feature gated (#519)
* fixed timeout methods not being feature gated
* removed the `timeout` feature gate as requested
* Revert "removed the `timeout` feature gate as requested"
This reverts commit 6024850.
* chore: release (#520)
* Added a test for `repos().is_collaborator()`. The 204 case is good! (#553)
* Resolving issue with deleting reactions from issues. (#555)
* Resolving issue with deleting reactions from issues.
Issue: manchicken#182
* Reverting changes to CHANGELOG.md since that's automated.
* chore: release (#554)
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
* Tests for locking and unlocking issue comments (#557)
* Handle redirects in ReleasesHandler::stream_asset(). (#556)
* chore: release (#558)
* Added tests for `repos().merges()` (#560)
* Don't send Authorization headers to third-party services. (#562)
* chore: release (#561)
* Upgrade http/hyper 1.0 (#564)
* chore: release (#565)
* Fixed `issues().delete_comment_reaction()` (#566)
- Added a test for 204 and 500 cases
- Fixed broken functionality in the 204 case.
* Adding test for `issues().delete_comment()` (#569)
* Added tests to prove `repos().secrets().delete_secret()` (#570)
- Added test for 204 case
- Added test for 500 case
* chore: release (#567)
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
* Added a test (#577)
- Update case of `repos().secrets().create_or_update_secret()` test added
* Added some more tests (#578)
- `repos().issues().check_assignee()`
- Covers 204 case
- Covers 404 case
- Covers 500 case
* Fixing the test that `wiremock@v0.6.0` breaks. (#579)
- Updated wiremock to 0.6.0
- Fixed the one test broken by the update
* Fixing `snafu` version update (#580)
* Adding test for actions().actions_delete_workflow_run_logs_test() (#584)
* Added more tests, for `repos().delete()` (#585)
* Fixed the `projects().delete_project().send() function (#587)
* Adding tests for `actions().remove_selected_repo_from_org_secret()` (#586)
* Add Public and Release events (#589)
* Update base64 requirement from 0.21.0 to 0.22.0 (#592)
Updates the requirements on [base64](https://github.com/marshallpierce/rust-base64) to permit the latest version.
- [Changelog](https://github.com/marshallpierce/rust-base64/blob/master/RELEASE-NOTES.md)
- [Commits](marshallpierce/rust-base64@v0.21.2...v0.22.0)
---
updated-dependencies:
- dependency-name: base64
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* chore: release (#581)
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
* Adding tests to `orgs().secrets().create_or_update_secret()` (#590)
- Added 204 case
* Add delete_ref in RepoHandler (#573)
Fixes: #572
* chore: release (#593)
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
* rebased to actual; fixed Response<Body>
* added /repos/{owner}/{repo}/check-suites
* added /repos/{owner}/{repo}/check-suites/preferences
* added /repos/{owner}/{repo}/check-suites/{check_suite_id}
* added rerequest check [run/suite]
* added 'list check run annotations'
* added "List check suites for a Git reference"
* added query parameters
* fixed `cargo fmt --all`
* rebased to actual; fixed Response<Body>
---------
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Frank Elsinga <frank@elsinga.de>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Mike Stemle <hello@mikestemle.com>
Co-authored-by: Kor Nielsen <korn@xdas.com>
Co-authored-by: Kor Nielsen <kor@google.com>
Co-authored-by: Toru Ogawa <Hakuyume@users.noreply.github.com>
Co-authored-by: Evan Graham <me@luakt.net>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Tobias Nießen <tniessen@tnie.de>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
We may have been directed away from github.com (via follow_location_to_data()), and for security reasons it's important that we don't leak our GitHub credentials.
If an artifact is uploaded with actions/upload-artifact@v4, calls may be redirected to a URL starting with
https://productionresultssa0.blob.core.windows.net/. Requests made to download that file will be rejected if they contain an Authorization header.