fix(security): remove proxy and cookie auth headers on insecure redirect (#653)

* fix: remove proxy and cookie auth headers on insecure redirect
* fix: dispose of HttpRequestMessage instance
* test: update tests to dispose HttpRequestMessage
* fix(security): enable configuration to allow removing arbitrary header on redirect. Useful for API Keys and other custom header auth

Author: MIchaelMainer

.vscode/settings.json

@@ -3,5 +3,6 @@
 		"Kiota"
 	],
 	"editor.formatOnSave": true,
-	"dotnet-test-explorer.testProjectPath": "**/*.Tests.csproj"
+	"dotnet-test-explorer.testProjectPath": "**/*.Tests.csproj",
+	"sarif-viewer.connectToGithubCodeScanning": "on"
 }

src/http/httpClient/Middleware/Options/RedirectHandlerOption.cs

@@ -44,5 +44,45 @@ public int MaxRedirect
         /// A boolean value to determine if we redirects are allowed if the scheme changes(e.g. https to http). Defaults to false.
         /// </summary>
         public bool AllowRedirectOnSchemeChange { get; set; } = false;
+
+        /// <summary>
+        /// A callback that is invoked to scrub sensitive headers from the request before following a redirect.
+        /// This callback receives the request being modified, the original URI, the new redirect URI, and a proxy resolver function.
+        /// The proxy resolver returns the proxy URI for a given destination, or null if no proxy applies.
+        /// Defaults to <see cref="DefaultScrubSensitiveHeaders"/>.
+        /// </summary>
+        public Action<HttpRequestMessage, Uri, Uri, Func<Uri, Uri?>?> ScrubSensitiveHeaders { get; set; } = DefaultScrubSensitiveHeaders;
+
+        /// <summary>
+        /// The default implementation for scrubbing sensitive headers during redirects.
+        /// This method removes Authorization and Cookie headers when the host or scheme changes,
+        /// and removes ProxyAuthorization headers when no proxy is configured or the proxy is bypassed for the new URI.
+        /// </summary>
+        /// <param name="request">The HTTP request message to modify.</param>
+        /// <param name="originalUri">The original request URI.</param>
+        /// <param name="newUri">The new redirect URI.</param>
+        /// <param name="proxyResolver">A function that returns the proxy URI for a destination, or null if no proxy applies. Can be null if no proxy is configured.</param>
+        public static void DefaultScrubSensitiveHeaders(HttpRequestMessage request, Uri originalUri, Uri newUri, Func<Uri, Uri?>? proxyResolver)
+        {
+            if(request == null) throw new ArgumentNullException(nameof(request));
+            if(originalUri == null) throw new ArgumentNullException(nameof(originalUri));
+            if(newUri == null) throw new ArgumentNullException(nameof(newUri));
+
+            // Remove Authorization and Cookie headers if http request's scheme or host changes
+            var isDifferentHostOrScheme = !newUri.Host.Equals(originalUri.Host, StringComparison.OrdinalIgnoreCase) ||
+                !newUri.Scheme.Equals(originalUri.Scheme, StringComparison.OrdinalIgnoreCase);
+            if(isDifferentHostOrScheme)
+            {
+                request.Headers.Authorization = null;
+                request.Headers.Remove("Cookie");
+            }
+
+            // Remove ProxyAuthorization if no proxy is configured or the URL is bypassed
+            var isProxyInactive = proxyResolver == null || proxyResolver(newUri) == null;
+            if(isProxyInactive)
+            {
+                request.Headers.ProxyAuthorization = null;
+            }
+        }
     }
 }

src/http/httpClient/Middleware/RedirectHandler.cs

@@ -119,12 +119,9 @@ protected override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage
                             newRequest.RequestUri = new Uri(baseAddress + response.Headers.Location);
                         }
 
-                        // Remove Auth if http request's scheme or host changes
-                        if(!newRequest.RequestUri.Host.Equals(request.RequestUri?.Host) ||
-                        !newRequest.RequestUri.Scheme.Equals(request.RequestUri?.Scheme))
-                        {
-                            newRequest.Headers.Authorization = null;
-                        }
+                        // Scrub sensitive headers before following the redirect
+                        var proxyResolver = GetProxyResolver();
+                        redirectOption.ScrubSensitiveHeaders(newRequest, request.RequestUri!, newRequest.RequestUri, proxyResolver);
 
                         // If scheme has changed. Ensure that this has been opted in for security reasons
                         if(!newRequest.RequestUri.Scheme.Equals(request.RequestUri?.Scheme) && !redirectOption.AllowRedirectOnSchemeChange)
@@ -183,5 +180,48 @@ private static bool IsRedirect(HttpStatusCode statusCode)
             };
         }
 
+        /// <summary>
+        /// Gets a callback that resolves the proxy URI for a given destination URI.
+        /// </summary>
+        /// <returns>A function that takes a destination URI and returns the proxy URI, or null if no proxy is configured or the destination is bypassed.</returns>
+        private Func<Uri, Uri?>? GetProxyResolver()
+        {
+            var proxy = GetProxyFromFinalHandler();
+            if(proxy == null)
+                return null;
+            return destination => proxy.IsBypassed(destination) ? null : proxy.GetProxy(destination);
+        }
+
+        /// <summary>
+        /// Traverses the handler chain to find the final handler and extract its proxy settings.
+        /// </summary>
+        /// <returns>The IWebProxy from the final handler, or null if not found.</returns>
+        private IWebProxy? GetProxyFromFinalHandler()
+        {
+#if BROWSER
+            // Browser platform does not support proxy configuration
+            return null;
+#else
+            var handler = InnerHandler;
+            while(handler != null)
+            {
+#if NETFRAMEWORK
+                if(handler is WinHttpHandler winHttpHandler)
+                    return winHttpHandler.Proxy;
+#endif
+#if NET5_0_OR_GREATER
+                if (handler is SocketsHttpHandler socketsHandler)
+                    return socketsHandler.Proxy;
+#endif
+                if(handler is HttpClientHandler httpClientHandler)
+                    return httpClientHandler.Proxy;
+                if(handler is DelegatingHandler delegatingHandler)
+                    handler = delegatingHandler.InnerHandler;
+                else
+                    break;
+            }
+            return null;
+#endif
+        }
     }
 }