Skip to content

security: strip cookies on cross-origin redirects and fix response connection leaks#2169

Open
insaf021 wants to merge 1 commit into
googleapis:mainfrom
insaf021:security/harden-http-redirects-and-resources
Open

security: strip cookies on cross-origin redirects and fix response connection leaks#2169
insaf021 wants to merge 1 commit into
googleapis:mainfrom
insaf021:security/harden-http-redirects-and-resources

Conversation

@insaf021

@insaf021 insaf021 commented Jul 1, 2026

Copy link
Copy Markdown

Summary

Cross-Origin Cookie Removal on Redirects

Problem: When HttpRequest follows a redirect to a different origin (different scheme, host, or effective port), sensitive Cookie headers could be forwarded to the redirect destination, potentially exposing session credentials.

Fix: Updated handleRedirect() to compare the redirect target's scheme, host, and effective port with the current request URL. If the redirect is cross-origin, the Cookie header is removed before following the redirect. Same-origin redirects continue to preserve cookies.

Resource Cleanup on Response Construction Failure

Problem: If new HttpResponse(this, lowLevelHttpResponse) throws an exception before the response is fully constructed, the underlying LowLevelHttpResponse may not be released, potentially leaving underlying HTTP resources open.

Fix: Updated the cleanup logic in the finally block of execute() to close the response content (when present) and invoke disconnect() on lowLevelHttpResponse when response construction fails, ensuring cleanup exceptions do not mask the original exception.

Tests Added

Added testHandleRedirect_crossOriginCookieRemoval to verify that cookies are removed for cross-origin redirects while remaining intact for same-origin redirects, including cases involving implicit and explicit default ports. Added testExecute_disconnectOnResponseConstructionFailure to verify that disconnect() is invoked when response construction fails and that the original exception is preserved during cleanup.

Verification

All 45 tests in HttpRequestTest passed successfully. A full mvn clean install also completed successfully across all 15 modules with BUILD SUCCESS, confirming the changes behave as expected and do not introduce regressions.

@insaf021 insaf021 requested a review from a team as a code owner July 1, 2026 03:25
@product-auto-label product-auto-label Bot added the size: m Pull request size is medium. label Jul 1, 2026
@google-cla

google-cla Bot commented Jul 1, 2026

Copy link
Copy Markdown

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

size: m Pull request size is medium.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant