authorization header is not deleted on redirects to third party origins

[szmarczak]

Bug Description

Security flaw.

Reproducible By

const http = require('http');
const undici = require('undici');

const server = http.createServer((request, response) => {
    if (request.headers.authorization != 'test') {
        response.statusCode = 403;
        response.end();
        return;
    }

    response.statusCode = 302;
    response.setHeader('location', 'https://httpbin.org/anything');
    response.end();
});

server.listen(8080, async () => {
    const {statusCode, headers, body} = await undici.request('http://localhost:8080', {
        maxRedirections: 3,
        headers: {
            authorization: 'test'
        }
    });

    const chunks = [];
    for await (const chunk of body) {
        chunks.push(chunk);
    }

    const parsed = JSON.parse(Buffer.concat(chunks));
    console.log(parsed.headers.Authorization);

    undici.getGlobalDispatcher().destroy();
    server.close();
});

Expected Behavior

The authorization header should be deleted when redirecting to third party origin.

Environment

Linux solus 5.13.1-187.current #1 SMP PREEMPT Wed Jul 7 19:52:26 UTC 2021 x86_64 GNU/Linux
Node v16.4.2
[email protected]