transport: do not re-attach bearer token after cross-host redirect by evilgensec · Pull Request #2349 · google/go-containerregistry (original) (raw)

PR google#2337 made bearerTransport.RoundTrip set the Authorization header unconditionally on the post-401 retry, bypassing the matchesHost guard. That guard exists to stop the credential being forwarded across an http.Client-level redirect to a different host. With it bypassed, a malicious or compromised registry can 302 a manifest/blob fetch to an attacker-controlled host, answer the follow-up request with a Bearer challenge, and harvest the operator's registry token: the client refreshes the token from the trusted realm and then sends it to the redirected host.

Gate the re-attach on matchesHost so the refreshed token is only applied when the request is still talking to the registry we authenticated against; for a cross-host request fall back to sendRequest(), which omits the credential. This preserves the google#2333 fix for same-host 401 retries (e.g. mid-session token expiry) while closing the credential leak.

Add a regression test for the same-host retry and a test asserting the token is not leaked to a cross-host challenger.