actions/upload-artifact
3
0
Fork 0
mirror of https://github.com/actions/upload-artifact.git synced 2026-04-12 22:10:04 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Do not pass proxy headers to the proxy agent

Browse source
This commit is contained in:
joelwizard 2026-04-03 14:46:00 -07:00
parent bbbca2ddaa
commit 1203fabacc
No known key found for this signature in database
GPG key ID: 7DBA6660BE571D64
3 changed files with 31 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

12
dist/merge/index.js vendored
View file

@ -89375,16 +89375,22 @@ function setProxyAgentOnRequest(request, cachedAgents, proxyUrl) {
if (request.tlsSettings) {
log_logger.warning("TLS settings are not supported in combination with custom Proxy, certificates provided to the client will be ignored.");
}
const headers = request.headers.toJSON();
// Do NOT pass application-level request headers to the proxy agent.
// The `headers` option in HttpsProxyAgent/HttpProxyAgent specifies headers
// to include in the HTTP CONNECT request to the proxy server. Leaking
// application headers (Content-Type, x-ms-version, etc.) into the CONNECT
// handshake violates RFC 7231 §4.3.6 and causes strict proxies (e.g.
// Fortinet, Zscaler) to reject the tunnel, resulting in ECONNRESET.
// See: https://github.com/actions/upload-artifact/issues/XXX
if (isInsecure) {
if (!cachedAgents.httpProxyAgent) {
cachedAgents.httpProxyAgent = new http_proxy_agent_dist.HttpProxyAgent(proxyUrl, { headers });
cachedAgents.httpProxyAgent = new http_proxy_agent_dist.HttpProxyAgent(proxyUrl);
}
request.agent = cachedAgents.httpProxyAgent;
}
else {
if (!cachedAgents.httpsProxyAgent) {
cachedAgents.httpsProxyAgent = new dist.HttpsProxyAgent(proxyUrl, { headers });
cachedAgents.httpsProxyAgent = new dist.HttpsProxyAgent(proxyUrl);
}
request.agent = cachedAgents.httpsProxyAgent;
}

12
dist/upload/index.js vendored
View file

@ -86950,16 +86950,22 @@ function setProxyAgentOnRequest(request, cachedAgents, proxyUrl) {
if (request.tlsSettings) {
log_logger.warning("TLS settings are not supported in combination with custom Proxy, certificates provided to the client will be ignored.");
}
const headers = request.headers.toJSON();
// Do NOT pass application-level request headers to the proxy agent.
// The `headers` option in HttpsProxyAgent/HttpProxyAgent specifies headers
// to include in the HTTP CONNECT request to the proxy server. Leaking
// application headers (Content-Type, x-ms-version, etc.) into the CONNECT
// handshake violates RFC 7231 §4.3.6 and causes strict proxies (e.g.
// Fortinet, Zscaler) to reject the tunnel, resulting in ECONNRESET.
// See: https://github.com/actions/upload-artifact/issues/XXX
if (isInsecure) {
if (!cachedAgents.httpProxyAgent) {
cachedAgents.httpProxyAgent = new http_proxy_agent_dist.HttpProxyAgent(proxyUrl, { headers });
cachedAgents.httpProxyAgent = new http_proxy_agent_dist.HttpProxyAgent(proxyUrl);
}
request.agent = cachedAgents.httpProxyAgent;
}
else {
if (!cachedAgents.httpsProxyAgent) {
cachedAgents.httpsProxyAgent = new dist.HttpsProxyAgent(proxyUrl, { headers });
cachedAgents.httpsProxyAgent = new dist.HttpsProxyAgent(proxyUrl);
}
request.agent = cachedAgents.httpsProxyAgent;
}