Limit GitHub tokens to github.com download URLs

2026-05-12 10:36:57 +00:00 · 2026-05-11 17:52:04 +01:00
parent 88aa608651
commit 2f9f369997
3 changed files with 47 additions and 6 deletions
--- a/tests/download/download-version.test.ts
+++ b/tests/download/download-version.test.ts
@@ -223,7 +223,7 @@ describe("download-version", () => {
      );
    });

-    it("does not rewrite non-GitHub URLs", async () => {
+    it("does not send the token to non-GitHub URLs from the default manifest", async () => {
      mockGetArtifact.mockResolvedValue({
        archiveFormat: "tar.gz",
        checksum: "abc123",
@@ -241,8 +241,30 @@ describe("download-version", () => {
      expect(mockDownloadTool).toHaveBeenCalledWith(
        "https://example.com/uv.tar.gz",
        undefined,
+        undefined,
+      );
+    });
+
+    it("does not send the token to GitHub lookalike hosts", async () => {
+      mockGetArtifact.mockResolvedValue({
+        archiveFormat: "tar.gz",
+        checksum: "abc123",
+        downloadUrl: "https://github.com.evil.test/uv.tar.gz",
+      });
+
+      await downloadVersion(
+        "unknown-linux-gnu",
+        "x86_64",
+        "0.9.26",
+        undefined,
        "token",
      );
+
+      expect(mockDownloadTool).toHaveBeenCalledWith(
+        "https://github.com.evil.test/uv.tar.gz",
+        undefined,
+        undefined,
+      );
    });

    it("falls back to GitHub Releases when the mirror fails", async () => {