fix(api): prevent cross-origin credential leakage#207
Merged
Conversation
…ential leak A full URL passed to `confluence api` was sent through the authenticated axios client, whose default headers carry the Authorization (and Cookie) credentials. A URL pointing at a different origin — or an http:// downgrade of an https host — therefore leaked the API token to an arbitrary server. Guard the absolute-URL branch of rawRequest with assertSameOrigin, mirroring the existing download-path protection. Relative and absolute-path endpoints resolve against the configured host and are unaffected, so legitimate use (including scoped tokens on api.atlassian.com) keeps working.
|
🎉 This PR is included in version 2.14.1 🎉 The release is available on: Your semantic-release bot 📦🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Intent
The developer first wanted an autonomous, evidence-backed improvement audit of the confluence-cli Node.js codebase, grounded in npm install, tests, lint, npm audit, npm outdated, and direct code investigation, with a standalone prioritized report grouped by High/Medium/Low. After the audit, they promoted only the F1 finding to a shipping task: fix the api/rawRequest credential-origin leak by enforcing same-origin for absolute URLs, starting from a clean base on branch fm/review-confcli-k4 and adding a regression test. They explicitly constrained the work to that single security fix, with no unrelated changes, no pushing or PR during the initial scout phase, and work confined to the disposable worktree except for specified report/status files. For validation, they wanted the no-mistakes pipeline driven through to completion, using the plain git push workaround to trigger the gate, then monitoring/responding to any gate feedback and reporting the final PR URL once checks were green.
What Changed
Risk Assessment
✅ Low: The change is narrowly scoped to applying an existing same-origin guard before authenticated rawRequest full-URL calls, with matching CLI/README messaging and focused regression coverage.
Testing
Installed dependencies from the lockfile, ran the targeted raw client and API command tests, captured CLI/server evidence showing same-origin absolute URLs succeed with Basic auth while cross-origin absolute URLs are rejected before the foreign server receives a request, then removed transient
node_modulesfrom the worktree.Evidence: CLI origin guard transcript
Evidence: Redacted server request log
Pipeline
Updates from git push no-mistakes
✅ **intent** - passed
✅ No issues found.
✅ **Rebase** - passed
✅ No issues found.
✅ **Review** - passed
✅ No issues found.
✅ **Test** - passed
✅ No issues found.
npm cinpm test -- --runTestsByPath tests/api-origin-guard.test.js tests/confluence-client.test.js --runInBandnpm test -- --runTestsByPath tests/api-command.test.js --runInBandManual Node harness started configured and foreign local HTTP origins, then rannode bin/index.js api http://127.0.0.1:<configured>/rest/api/content/1 --includeandnode bin/index.js api http://127.0.0.1:<foreign>/exfil; transcript and redacted request log were written to the evidence directory.✅ **Document** - passed
✅ No issues found.
✅ **Lint** - passed
✅ No issues found.
✅ **Push** - passed
✅ No issues found.