Strip custom credential headers on cross-host redirects#1492
Open
winstoncrooker wants to merge 1 commit into
Open
Strip custom credential headers on cross-host redirects#1492winstoncrooker wants to merge 1 commit into
winstoncrooker wants to merge 1 commit into
Conversation
requests.Session.rebuild_auth() strips the standard sensitive headers (Authorization, Cookie) when a redirect changes host, but not the custom Databricks cloud-provider token headers (X-Databricks-Azure-SP-Management-Token, X-Databricks-GCP-SA-Access-Token). On a cross-host redirect those cloud tokens were forwarded to the redirect target host even though Authorization was stripped. Use a requests.Session subclass whose rebuild_auth drops these headers on the same host-change condition (should_strip_auth), matching how requests handles Authorization. Same-host redirects are unaffected. Signed-off-by: winstoncrooker <winstoncrooker@outlook.com>
|
If integration tests don't run automatically, an authorized user can run them manually by following the instructions below: Trigger: Inputs:
Checks will be approved automatically on success. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Changes
When Azure service-principal or GCP service-account auth is configured, the SDK attaches the cloud-provider token to every request as a custom header (
X-Databricks-Azure-SP-Management-Token, the Azure ARM management bearer;X-Databricks-GCP-SA-Access-Token, the GCP service-account token). These headers are already treated as secrets by the SDK's own log redaction._BaseClientuses a plainrequests.Session().requests.Session.rebuild_auth()strips only the standard sensitive headers (Authorization,Cookie, etc.) when a redirect changes host; it does not know about these custom headers. So on a cross-host redirect the cloud tokens were forwarded to the redirect target host even thoughAuthorizationwould be stripped.This uses a small
requests.Sessionsubclass whoserebuild_authalso drops the custom credential headers whenshould_strip_authreports a host change, matching howrequestshandlesAuthorization. Same-host redirects are unaffected. This mirrors the OAuth/login paths, which already passallow_redirects=False.Tests
Added unit tests in
tests/test_base_client.pycovering both the cross-host case (custom cloud headers dropped alongsideAuthorization) and the same-host case (headers preserved).ruff format/ruff checkclean.