WithAuthToken wraps the Transport with a RoundTripper that injects
Authorization: Bearer TOKEN on every RoundTrip call. When http.Client
follows a redirect to a different host, Go strips the Authorization
header — but the wrapped Transport immediately re-adds it, so the token
is forwarded to the redirect destination.
The GitHub API redirects several endpoints cross-host:
- Repository archive downloads redirect to codeload.github.com
- Release asset downloads redirect to objects.githubusercontent.com
Any application using WithAuthToken that follows such redirects, or that
accepts user-provided URLs, will leak its GitHub token to the redirect
destination.
Fix tracked in #4189.
WithAuthToken wraps the Transport with a RoundTripper that injects
Authorization: Bearer TOKEN on every RoundTrip call. When http.Client
follows a redirect to a different host, Go strips the Authorization
header — but the wrapped Transport immediately re-adds it, so the token
is forwarded to the redirect destination.
The GitHub API redirects several endpoints cross-host:
Any application using WithAuthToken that follows such redirects, or that
accepts user-provided URLs, will leak its GitHub token to the redirect
destination.
Fix tracked in #4189.