fix: Prevent Authentication header from being passed during cross-origin redirects (box/box-codegen#648) (#382)

box-sdk-build · web-flow · commit a64d373a935c · 2025-01-23T15:40:37.000+01:00
diff --git a/.codegen.json b/.codegen.json
@@ -1 +1 @@
-{ "engineHash": "ead925a", "specHash": "091b558", "version": "1.6.0" }
+{ "engineHash": "b5ed925", "specHash": "091b558", "version": "1.6.0" }
diff --git a/Box.Sdk.Gen/Networking/BoxNetworkClient/BoxNetworkClient.cs b/Box.Sdk.Gen/Networking/BoxNetworkClient/BoxNetworkClient.cs
@@ -105,8 +105,11 @@ async Task<FetchResponse> INetworkClient.FetchAsync(FetchOptions options)
                             throw new BoxSdkException($"Redirect response missing Location header for: {options.Url}");
                         }
 
+                        var originUri = new Uri(url);
+                        var redirectUri = new Uri(locationHeader.Value.First());
+                        var sameOrigin = originUri.Host == redirectUri.Host && originUri.Port == redirectUri.Port && originUri.Scheme == redirectUri.Scheme;
                         return await ((INetworkClient)this).FetchAsync(new FetchOptions(locationHeader.Value.First(), "GET", options.ContentType, options.ResponseFormat)
-                        { Auth = options.Auth, NetworkSession = networkSession }).ConfigureAwait(false);
+                        { Auth = sameOrigin ? options.Auth : null, NetworkSession = networkSession }).ConfigureAwait(false);
                     }
 
                     if (statusCode == 401)

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-{ "engineHash": "ead925a", "specHash": "091b558", "version": "1.6.0" }`
	`1`	`+{ "engineHash": "b5ed925", "specHash": "091b558", "version": "1.6.0" }`
Original file line number	Diff line number	Diff line change
`@@ -105,8 +105,11 @@ async Task<FetchResponse> INetworkClient.FetchAsync(FetchOptions options)`
`105`	`105`	`throw new BoxSdkException($"Redirect response missing Location header for: {options.Url}");`
`106`	`106`	`}`
`107`	`107`
	`108`	`+ var originUri = new Uri(url);`
	`109`	`+ var redirectUri = new Uri(locationHeader.Value.First());`
	`110`	`+ var sameOrigin = originUri.Host == redirectUri.Host && originUri.Port == redirectUri.Port && originUri.Scheme == redirectUri.Scheme;`
`108`	`111`	`return await ((INetworkClient)this).FetchAsync(new FetchOptions(locationHeader.Value.First(), "GET", options.ContentType, options.ResponseFormat)`
`109`		`- { Auth = options.Auth, NetworkSession = networkSession }).ConfigureAwait(false);`
	`112`	`+ { Auth = sameOrigin ? options.Auth : null, NetworkSession = networkSession }).ConfigureAwait(false);`
`110`	`113`	`}`
`111`	`114`
`112`	`115`	`if (statusCode == 401)`