fix: strip auth headers for GitHub release assets redirects (#9211)

Author: FringeNet

.changeset/lovely-moose-worry.md

@@ -0,0 +1,17 @@
+---
+"builder-util-runtime": minor
+---
+
+fix: implement industry-standard cross-origin redirect auth handling
+
+Replace hardcoded service-specific hostname checks with sophisticated cross-origin redirect detection that matches industry standards from Python requests library and Apache HttpClient.
+
+**Key improvements:**
+- **Case-insensitive hostname comparison** for robust origin detection
+- **HTTP→HTTPS upgrade allowance** on standard ports (80→443) for backward compatibility
+- **Proper default port handling** that treats implicit and explicit default ports as equivalent
+- **Standards-compliant cross-origin detection** following RFC specifications
+
+**Fixes GitHub issue #9207:** GitHub release asset downloads failing with 403 Forbidden when redirected from `api.github.com` to `release-assets.githubusercontent.com` (Azure backend) or other cloud storage services that don't accept GitHub tokens.
+
+The implementation now handles all cross-origin redirect scenarios while maintaining compatibility with legitimate same-origin redirects and industry-standard HTTP→HTTPS upgrades.

.github/workflows/test.yaml

@@ -67,7 +67,7 @@ jobs:
       fail-fast: false
       matrix:
         testFiles:
-          - ArtifactPublisherTest,BuildTest,ExtraBuildTest,RepoSlugTest,binDownloadTest,configurationValidationTest,filenameUtilTest,filesTest,globTest,ignoreTest,macroExpanderTest,mainEntryTest,urlUtilTest,extraMetadataTest,linuxArchiveTest,linuxPackagerTest,HoistedNodeModuleTest,MemoLazyTest,HoistTest,ExtraBuildResourcesTest
+          - ArtifactPublisherTest,BuildTest,ExtraBuildTest,RepoSlugTest,binDownloadTest,configurationValidationTest,filenameUtilTest,filesTest,globTest,httpExecutorTest,ignoreTest,macroExpanderTest,mainEntryTest,urlUtilTest,extraMetadataTest,linuxArchiveTest,linuxPackagerTest,HoistedNodeModuleTest,MemoLazyTest,HoistTest,ExtraBuildResourcesTest
           - snapTest,debTest,fpmTest,protonTest
           - winPackagerTest,winCodeSignTest,webInstallerTest
           - oneClickInstallerTest,assistedInstallerTest

packages/builder-util-runtime/src/httpExecutor.ts

@@ -319,14 +319,69 @@ Please double check that your authentication token is correct. Due to security r
     const newOptions = configureRequestOptionsFromUrl(redirectUrl, { ...options })
     const headers = newOptions.headers
     if (headers?.authorization) {
-      const parsedNewUrl = parseUrl(redirectUrl, options)
-      if (parsedNewUrl.hostname.endsWith(".amazonaws.com") || parsedNewUrl.searchParams.has("X-Amz-Credential")) {
+      // Parse original and redirect URLs to compare origins
+      const originalUrl = HttpExecutor.reconstructOriginalUrl(options)
+      const parsedRedirectUrl = parseUrl(redirectUrl, options)
+
+      // Strip authorization header on cross-origin redirects (different protocol, hostname, or port)
+      if (HttpExecutor.isCrossOriginRedirect(originalUrl, parsedRedirectUrl)) {
+        if (debug.enabled) {
+          debug(`Given the cross-origin redirect (from ${originalUrl.host} to ${parsedRedirectUrl.host}), the Authorization header will be stripped out.`)
+        }
         delete headers.authorization
       }
     }
     return newOptions
   }
 
+  private static reconstructOriginalUrl(options: RequestOptions): URL {
+    const protocol = options.protocol || "https:"
+    if (!options.hostname) {
+      throw new Error("Missing hostname in request options")
+    }
+    const hostname = options.hostname
+    const port = options.port ? `:${options.port}` : ""
+    const path = options.path || "/"
+    return new URL(`${protocol}//${hostname}${port}${path}`)
+  }
+
+  private static isCrossOriginRedirect(originalUrl: URL, redirectUrl: URL): boolean {
+    // Case-insensitive hostname comparison
+    if (originalUrl.hostname.toLowerCase() !== redirectUrl.hostname.toLowerCase()) {
+      return true
+    }
+
+    // Special case: allow http -> https redirect on same host with standard ports
+    // This matches the behavior of Python requests library for backward compatibility
+    // url.port returns an empty string if the port is omitted
+    // or explicitly set to the default port for a given protocol. 
+    if (
+      originalUrl.protocol === "http:" &&
+      // This can be replaced with `!originalUrl.port`, but for the sake of clarity.
+      ["80", ""].includes(originalUrl.port) &&
+      redirectUrl.protocol === "https:" &&
+      // This can be replaced with `!redirectUrl.port`, but for the sake of clarity.
+      ["443", ""].includes(redirectUrl.port)
+    ) {
+      return false
+    }
+
+    // According to RFC 7235, a change in protocol or port constitutes a cross-origin request.
+    // Forwarding authentication headers to a different origin can be a security risk.
+    // For example, https://example.com:443 and http://example.com:80 are different origins.
+    // We only make an exception for HTTP -> HTTPS upgrades on standard ports for backward compatibility.
+
+    // Strip auth on any other protocol change
+    if (originalUrl.protocol !== redirectUrl.protocol) {
+      return true
+    }
+
+    // Strip auth on port change (accounting for default ports)
+    const originalPort = originalUrl.port
+    const redirectPort = redirectUrl.port
+    return originalPort !== redirectPort
+  }
+
   static retryOnServerError(task: () => Promise<any>, maxRetries = 3) {
     for (let attemptNumber = 0; ; attemptNumber++) {
       try {