Atlassian-connect-express 8.0.0 breaks all redirects?

Hi all (and @JamesD ),

The most recent version of atlassian-connect-express (v8.0.0) seems to introduce a bug in its handling of server responses. The 8.0.0 release included a security change that was supposed to deny cross-protocol redirects. Instead, it denies all redirects. This can be a particular problem for code that tries to fetch data from Atlassian media services, among others.

The problem stems from the last line in the crossProtocolRedirectGuard() function in host-request.js:

return locationUri.protocol() === response.request.uri.protocol;

The locationUri object is of type URI (provided by a NPM module), while the response.request.uri uses the native URL interface.

The URL interface requires that the protocol field contain a trailing colon ('https:'), while the URI object’s protocol() function seemingly does not ('https').

This means that the comparison is always false, so all redirect responses are treated as errors.

A workaround is possible, which is to clone a corrected crossProtocolRedirectGuard function in your code and pass it into the followRedirect option in the ClientOptions object.

Could the ACE team please look at this and let everyone know if this is something that can be addressed?

5 Likes

Hi Scott

I really appreciate you reporting this and adding the extra analysis. :+1:

We will definitely look into this. I have added a bug to the backlog ACEJS-177

Although, I suspect this is something we will be able to address soon.

Thank you,
James

2 Likes

Hi Scott,

This should now be fixed in ACE 8.0.1

Thank you,
James

3 Likes