Skip to content

Strip custom credential headers on cross-host redirects#1492

Open
winstoncrooker wants to merge 1 commit into
databricks:mainfrom
winstoncrooker:strip-cloud-tokens-cross-host-redirect
Open

Strip custom credential headers on cross-host redirects#1492
winstoncrooker wants to merge 1 commit into
databricks:mainfrom
winstoncrooker:strip-cloud-tokens-cross-host-redirect

Conversation

@winstoncrooker

Copy link
Copy Markdown

Changes

When Azure service-principal or GCP service-account auth is configured, the SDK attaches the cloud-provider token to every request as a custom header (X-Databricks-Azure-SP-Management-Token, the Azure ARM management bearer; X-Databricks-GCP-SA-Access-Token, the GCP service-account token). These headers are already treated as secrets by the SDK's own log redaction.

_BaseClient uses a plain requests.Session(). requests.Session.rebuild_auth() strips only the standard sensitive headers (Authorization, Cookie, etc.) when a redirect changes host; it does not know about these custom headers. So on a cross-host redirect the cloud tokens were forwarded to the redirect target host even though Authorization would be stripped.

This uses a small requests.Session subclass whose rebuild_auth also drops the custom credential headers when should_strip_auth reports a host change, matching how requests handles Authorization. Same-host redirects are unaffected. This mirrors the OAuth/login paths, which already pass allow_redirects=False.

Tests

Added unit tests in tests/test_base_client.py covering both the cross-host case (custom cloud headers dropped alongside Authorization) and the same-host case (headers preserved). ruff format / ruff check clean.

requests.Session.rebuild_auth() strips the standard sensitive headers
(Authorization, Cookie) when a redirect changes host, but not the custom
Databricks cloud-provider token headers (X-Databricks-Azure-SP-Management-Token,
X-Databricks-GCP-SA-Access-Token). On a cross-host redirect those cloud tokens
were forwarded to the redirect target host even though Authorization was stripped.

Use a requests.Session subclass whose rebuild_auth drops these headers on the
same host-change condition (should_strip_auth), matching how requests handles
Authorization. Same-host redirects are unaffected.

Signed-off-by: winstoncrooker <winstoncrooker@outlook.com>
@github-actions

Copy link
Copy Markdown

If integration tests don't run automatically, an authorized user can run them manually by following the instructions below:

Trigger:
go/deco-tests-run/sdk-py

Inputs:

  • PR number: 1492
  • Commit SHA: 7ce0262b406999e3c4182ff67c50d51fbf7786d3

Checks will be approved automatically on success.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant