Merge pull request from GHSA-3787-6prv-h9w3

mcollina · web-flow · commit b9da3e40f1f0 · 2024-02-05T09:35:32.000+01:00
Signed-off-by: Matteo Collina &lt;hello@matteocollina.com&gt;
diff --git a/lib/fetch/index.js b/lib/fetch/index.js
@@ -1326,6 +1326,9 @@ function httpRedirectFetch (fetchParams, response) {
     // https://fetch.spec.whatwg.org/#cors-non-wildcard-request-header-name
     request.headersList.delete('authorization', true)
 
+    // https://fetch.spec.whatwg.org/#authentication-entries
+    request.headersList.delete('proxy-authorization', true)
+
     // "Cookie" and "Host" are forbidden request-headers, which undici doesn't implement.
     request.headersList.delete('cookie', true)
     request.headersList.delete('host', true)
diff --git a/test/fetch/redirect-cross-origin-header.js b/test/fetch/redirect-cross-origin-header.js
@@ -7,11 +7,12 @@ const { once } = require('node:events')
 const { fetch } = require('../..')
 
 test('Cross-origin redirects clear forbidden headers', async (t) => {
-  const { strictEqual } = tspl(t, { plan: 5 })
+  const { strictEqual } = tspl(t, { plan: 6 })
 
   const server1 = createServer((req, res) => {
     strictEqual(req.headers.cookie, undefined)
     strictEqual(req.headers.authorization, undefined)
+    strictEqual(req.headers['proxy-authorization'], undefined)
 
     res.end('redirected')
   }).listen(0)
@@ -40,7 +41,8 @@ test('Cross-origin redirects clear forbidden headers', async (t) => {
   const res = await fetch(`http://localhost:${server2.address().port}`, {
     headers: {
       Authorization: 'test',
-      Cookie: 'ddd=dddd'
+      Cookie: 'ddd=dddd',
+      'Proxy-Authorization': 'test'
     }
   })
 
