fix(fetchkit): re-sign bot-auth headers on redirect hops by chaliy · Pull Request #123 · everruns/fetchkit

chaliy · 2026-05-17T16:48:17Z

Prevent replay/leakage of bot-auth Signature/Signature-Input headers that were generated once for the initial authority and forwarded unchanged to subsequent redirect hops, which can expose replayable credentials to cross-host redirects.

Stop precomputing and attaching bot-auth headers before manual redirect handling in fetch() and fetch_to_file() by removing the one-time apply_bot_auth_if_enabled(...) calls there.
Recompute and apply bot-auth headers per hop inside send_request_following_redirects() by calling apply_bot_auth_if_enabled(headers.clone(), options, &current_url) before building the reqwest client for each request.
Preserve non-bot-auth behavior and keep changes feature-gated so behavior is unchanged when the bot-auth feature is disabled.

Ran cargo test -p fetchkit --features bot-auth and all crate tests passed, including bot_auth unit tests and fetchers::default tests that assert headers are sent (10 tests ran and passed).
Ran cargo fmt --all with no formatting issues.

…nerability

fix(fetchkit): re-sign bot-auth headers on redirect hops

eb8ba8f

chaliy added codex aardvark labels May 17, 2026 — with ChatGPT Codex Connector

Merge branch 'main' into 2026-05-17-fix-bot-auth-signature-replay-vul…

9f44272

…nerability

chaliy merged commit 23b9e43 into main May 17, 2026
11 checks passed

chaliy deleted the 2026-05-17-fix-bot-auth-signature-replay-vulnerability branch May 17, 2026 18:46

Provide feedback