fix(pulsar): scope auth header re-application on redirects#7692
Merged
rickbrouwer merged 1 commit intoMay 7, 2026
Conversation
The Pulsar scaler overrides CheckRedirect to keep Authorization headers across 307 redirects so broker-to-broker handoffs work, but it did so without checking the redirect target. A trusted adminURL induced into issuing an open redirect, or a malicious adminURL pointed at the operator, could harvest the bearer or basic credentials. Re-apply auth only when the redirect target shares the original request's hostname (port-stripped, case-insensitive) and does not downgrade an https adminURL to http. Cross-host or downgraded redirects fall through with no auth, so the request follows the redirect anonymously and the credentials stay on the trusted host. Signed-off-by: Mateen Anjum <mateenali66@gmail.com>
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
|
Thank you for your contribution! 🙏 Please understand that we will do our best to review your PR and give you feedback as soon as possible, but please bear with us if it takes a little longer as expected. While you are waiting, make sure to:
Once the initial tests are successful, a KEDA member will ensure that the e2e tests are run. Once the e2e tests have been successfully completed, the PR may be merged at a later date. Please be patient. Learn more about our contribution guide. |
Member
|
/run-e2e pulsar |
rickbrouwer
approved these changes
May 6, 2026
rickbrouwer
added
Awaiting/2nd-approval
JorTurFer
approved these changes
May 7, 2026
rickbrouwer
removed
the
Awaiting/2nd-approval
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
the pulsar scaler overrides
CheckRedirectso 307 redirects between brokers keep theirAuthorizationheader. it does that unconditionally, which means a redirect to a different host (or an https->http downgrade from a trusted adminURL with an open redirect) re-applies the bearer/basic credentials to the new target.re-apply auth only when the redirect target shares the original request's hostname (port-stripped, case-insensitive) and does not downgrade the scheme. cross-host and https->http redirects fall through without setting the headers, so the redirect still happens but the credentials don't follow.
added
TestPulsarRedirectAuthHostScopeGuardcovering same-host (with port change), case-insensitive host match, cross-host, https->http downgrade, and plain http same-host. existingTestPulsarScalerRedirectNilPointerFixstill passes.note: pulsar deployments where peer brokers run on entirely different hostnames will now lose auth on the broker-to-broker hop, same as Go's stdlib default would. happy to relax the host check (subdomain match, or configurable allowlist) if that turns out to break legitimate setups.
Fixes #7686