Skip to content

fix(http): skip AuthTransport bearer on redirected hops#832

Open
SAY-5 wants to merge 1 commit into
buildkite:mainfrom
SAY-5:fix/artifact-presigned-no-auth
Open

fix(http): skip AuthTransport bearer on redirected hops#832
SAY-5 wants to merge 1 commit into
buildkite:mainfrom
SAY-5:fix/artifact-presigned-no-auth

Conversation

@SAY-5
Copy link
Copy Markdown

@SAY-5 SAY-5 commented May 19, 2026

AuthTransport.RoundTrip unconditionally re-set the Authorization header, which clobbered stdlib http.Client's cross-host strip on artifact-download redirects to presigned buildkiteartifacts.com / S3 URLs. The presigned URL already carries its own auth via X-Amz-Signature, so the extra header either leaks the bearer or breaks the download with S3's "Only one auth mechanism allowed" 400. New test redirects through two httptest servers and asserts the second hop sees no Authorization.

Closes #830

@SAY-5
fix(http): skip AuthTransport bearer on redirected hops
5ba5d7e 
AuthTransport.RoundTrip unconditionally re-set the Authorization header,
which clobbered stdlib http.Client's cross-host strip on artifact-download
redirects to presigned buildkiteartifacts.com / S3 URLs. The presigned URL
already carries its own auth via X-Amz-Signature, so the extra header
either leaks the bearer or breaks the download with S3's
'Only one auth mechanism allowed' 400.
Closes buildkite#830

Signed-off-by: Sai Asish Y <[email protected]>
@SAY-5 SAY-5 requested review from a team as code owners May 19, 2026 22:04
mcncl
mcncl reviewed May 19, 2026
View reviewed changes
Comment thread internal/http/refresh_transport.go
token := t.TokenSource.Token()
if token != "" {
req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", token))
// Skip re-injecting on redirected hops so stdlib's cross-host strip stays in effect.
Copy link
Copy Markdown
Contributor

@mcncl mcncl May 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@SAY-5 thanks for the PR! As far as I can tell, this only fixes the normal redirect hop, which is fine (and a nice fix). I'm wondering if you wanted to additionally include a fix for 401 responses, which will still use the RefreshTransport

Copy link
Copy Markdown
Author

@SAY-5 SAY-5 May 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch. The 401-retry path is a separate failure mode (refresh + cloned request, where req.Response is nil) so I would rather address it in a follow-up PR with its own test, to keep this one tightly scoped to the redirect leak. I will open that next.

Copy link
Copy Markdown
Contributor

@mcncl mcncl May 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CI is failing due to an expired token, I think, so I'll look in to fixing that up

@SAY-5
Copy link
Copy Markdown
Author

SAY-5 commented May 21, 2026

Kept this PR scoped to the AuthTransport redirect path since that is the leak path #830 reproduces. RefreshTransport only fires on a 401 from the original request, and any 401-then-redirect path would go back through AuthTransport anyway, so the same skip applies. Happy to fold in a separate RefreshTransport hardening if you want.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mcncl mcncl mcncl left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug]: bk artifact download unconditionally adds a token to pre-signed URL downloads (breaking downloads)

2 participants

@SAY-5 @mcncl