Improve HTTP redirect following (#1637)

This implements HTTP redirect following ourselves. The goal is: 1. All I/O is checked against `--allowed-resources` and `--allowed-modules`, including HTTP redirects 2. HTTP rewrite rules can affect redirect following 3. HTTP headers can affect redirect following --------- Co-authored-by: Islon Scherer <islonscherer@gmail.com>
2026-06-11 08:12:50 +02:00 · 2026-06-08 11:13:48 -07:00
parent b993cc3bb1
commit d012285f7d
36 changed files with 465 additions and 129 deletions
@@ -1295,7 +1295,7 @@ result = someLib.x
        CliBaseOptions(
          sourceModules = listOf(moduleUri),
          workingDir = tempDir,
-          caCertificates = listOf(FileTestUtils.selfSignedCertificate),
+          caCertificates = listOf(FileTestUtils.selfSignedCertificatePem),
        )
      )
    val buffer = ByteArrayOutputStream()
@@ -1337,7 +1337,7 @@ result = someLib.x
        CliBaseOptions(
          sourceModules = listOf(moduleUri),
          workingDir = tempDir,
-          caCertificates = listOf(FileTestUtils.selfSignedCertificate),
+          caCertificates = listOf(FileTestUtils.selfSignedCertificatePem),
          settings = settingsFile,
        )
      )
@@ -1367,7 +1367,7 @@ result = someLib.x
          workingDir = tempDir,
          moduleCacheDir = tempDir,
          noCache = true,
-          caCertificates = listOf(FileTestUtils.selfSignedCertificate),
+          caCertificates = listOf(FileTestUtils.selfSignedCertificatePem),
          testPort = packageServer.port,
        )
      )
@@ -1473,7 +1473,7 @@ result = someLib.x
          sourceModules = listOf(URI("package://localhost:1/birds@0.5.0#/catalog/Ostrich.pkl")),
          noCache = true,
          httpProxy = URI(wwRuntimeInfo.httpBaseUrl),
-          caCertificates = listOf(FileTestUtils.selfSignedCertificate),
+          caCertificates = listOf(FileTestUtils.selfSignedCertificatePem),
          allowedModules = SecurityManagers.defaultAllowedModules + Pattern.compile("http:"),
        )
      )
@@ -44,7 +44,7 @@ class CliPackageDownloaderTest {
        baseOptions =
          CliBaseOptions(
            moduleCacheDir = tempDir,
-            caCertificates = listOf(FileTestUtils.selfSignedCertificate),
+            caCertificates = listOf(FileTestUtils.selfSignedCertificatePem),
            testPort = server.port,
          ),
        packageUris =
@@ -83,7 +83,7 @@ class CliPackageDownloaderTest {
        baseOptions =
          CliBaseOptions(
            workingDir = tempDir,
-            caCertificates = listOf(FileTestUtils.selfSignedCertificate),
+            caCertificates = listOf(FileTestUtils.selfSignedCertificatePem),
            testPort = server.port,
          ),
        packageUris = listOf(PackageUri("package://localhost:0/birds@0.5.0")),
@@ -103,7 +103,7 @@ class CliPackageDownloaderTest {
        baseOptions =
          CliBaseOptions(
            moduleCacheDir = tempDir,
-            caCertificates = listOf(FileTestUtils.selfSignedCertificate),
+            caCertificates = listOf(FileTestUtils.selfSignedCertificatePem),
            testPort = server.port,
          ),
        packageUris =
@@ -124,7 +124,7 @@ class CliPackageDownloaderTest {
        baseOptions =
          CliBaseOptions(
            moduleCacheDir = tempDir,
-            caCertificates = listOf(FileTestUtils.selfSignedCertificate),
+            caCertificates = listOf(FileTestUtils.selfSignedCertificatePem),
            testPort = server.port,
          ),
        packageUris =
@@ -165,7 +165,7 @@ class CliPackageDownloaderTest {
        baseOptions =
          CliBaseOptions(
            moduleCacheDir = tempDir,
-            caCertificates = listOf(FileTestUtils.selfSignedCertificate),
+            caCertificates = listOf(FileTestUtils.selfSignedCertificatePem),
            testPort = server.port,
          ),
        packageUris = listOf(PackageUri("package://localhost:0/badChecksum@1.0.0")),
@@ -184,7 +184,7 @@ class CliPackageDownloaderTest {
        baseOptions =
          CliBaseOptions(
            moduleCacheDir = tempDir,
-            caCertificates = listOf(FileTestUtils.selfSignedCertificate),
+            caCertificates = listOf(FileTestUtils.selfSignedCertificatePem),
            testPort = server.port,
          ),
        packageUris =
@@ -221,7 +221,7 @@ class CliPackageDownloaderTest {
        baseOptions =
          CliBaseOptions(
            moduleCacheDir = tempDir,
-            caCertificates = listOf(FileTestUtils.selfSignedCertificate),
+            caCertificates = listOf(FileTestUtils.selfSignedCertificatePem),
            testPort = server.port,
          ),
        packageUris = listOf(PackageUri("package://localhost:0/birds@0.5.0")),
@@ -967,7 +967,7 @@ class CliProjectPackagerTest {
        CliProjectPackager(
            CliBaseOptions(
              workingDir = tempDir,
-              caCertificates = listOf(FileTestUtils.selfSignedCertificate),
+              caCertificates = listOf(FileTestUtils.selfSignedCertificatePem),
              testPort = packageServer.port,
            ),
            listOf(tempDir.resolve("project")),
@@ -1011,7 +1011,7 @@ class CliProjectPackagerTest {
    CliProjectPackager(
        CliBaseOptions(
          workingDir = tempDir,
-          caCertificates = listOf(FileTestUtils.selfSignedCertificate),
+          caCertificates = listOf(FileTestUtils.selfSignedCertificatePem),
          testPort = packageServer.port,
        ),
        listOf(tempDir.resolve("project")),
@@ -87,7 +87,7 @@ class CliProjectResolverTest {
    CliProjectResolver(
        CliBaseOptions(
          workingDir = tempDir,
-          caCertificates = listOf(FileTestUtils.selfSignedCertificate),
+          caCertificates = listOf(FileTestUtils.selfSignedCertificatePem),
          testPort = packageServer.port,
          noCache = true,
        ),
@@ -142,7 +142,7 @@ class CliProjectResolverTest {
    CliProjectResolver(
        CliBaseOptions(
          workingDir = tempDir,
-          caCertificates = listOf(FileTestUtils.selfSignedCertificate),
+          caCertificates = listOf(FileTestUtils.selfSignedCertificatePem),
          testPort = packageServer.port,
          noCache = true,
        ),
@@ -240,7 +240,7 @@ class CliProjectResolverTest {
    )
    CliProjectResolver(
        CliBaseOptions(
-          caCertificates = listOf(FileTestUtils.selfSignedCertificate),
+          caCertificates = listOf(FileTestUtils.selfSignedCertificatePem),
          testPort = packageServer.port,
          noCache = true,
        ),
@@ -322,7 +322,7 @@ class CliProjectResolverTest {
    val errOut = StringWriter()
    CliProjectResolver(
        CliBaseOptions(
-          caCertificates = listOf(FileTestUtils.selfSignedCertificate),
+          caCertificates = listOf(FileTestUtils.selfSignedCertificatePem),
          testPort = packageServer.port,
          noCache = true,
        ),
@@ -397,7 +397,7 @@ class CliProjectResolverTest {
    val errOut = StringWriter()
    CliProjectResolver(
        CliBaseOptions(
-          caCertificates = listOf(FileTestUtils.selfSignedCertificate),
+          caCertificates = listOf(FileTestUtils.selfSignedCertificatePem),
          testPort = packageServer.port,
          noCache = true,
        ),
@@ -484,7 +484,7 @@ class CliProjectResolverTest {
    assertThatCode {
        CliProjectResolver(
            CliBaseOptions(
-              caCertificates = listOf(FileTestUtils.selfSignedCertificate),
+              caCertificates = listOf(FileTestUtils.selfSignedCertificatePem),
              testPort = packageServer.port,
              noCache = true,
            ),