Pulse/internal/agentupdate
rcourtman 6c55f8057c fix(agentupdate): reject redirects to prevent X-API-Token leak (GHSA-v644-29mm-jwx3)
The agent self-updater's HTTP client followed redirects with no
CheckRedirect policy. Go's net/http strips Authorization/Cookie on a
cross-host redirect but forwards custom headers such as X-API-Token, so a
cross-origin 30x from the operator-configured PulseURL (open redirect,
compromised/hijacked server, DNS/BGP hijack, or a malicious provisioning
URL) leaked the agent API token to the redirect target (CWE-200/CWE-522).

Backport of the v6 fix: refuse to follow any redirect rather than
re-sending the token. Covers both the getServerVersion version-check path
and the binary-download path, with regression tests asserting the redirect
target is never hit.

Reported by tonghuaroot.
2026-06-11 09:06:50 +01:00
..
coverage_test.go Fix FreeBSD agent restart handling 2026-05-24 21:51:11 +01:00
restart_unix.go Improve internal package test coverage 2025-12-29 17:25:21 +00:00
restart_windows.go Fix Windows agent self-update restart failure 2025-11-30 12:02:43 +00:00
update.go fix(agentupdate): reject redirects to prevent X-API-Token leak (GHSA-v644-29mm-jwx3) 2026-06-11 09:06:50 +01:00
update_http_test.go fix(agentupdate): reject redirects to prevent X-API-Token leak (GHSA-v644-29mm-jwx3) 2026-06-11 09:06:50 +01:00
update_test.go Add unit tests for agentupdate utility functions 2025-11-30 03:48:50 +00:00