Skip to content

Guard against infinite redirections in downloadFileFromUrl with redirect counter #6670

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Copilot wants to merge 7 commits into
base: main
Choose a base branch
from
Open

Guard against infinite redirections in downloadFileFromUrl with redirect counter #6670

Copilot wants to merge 7 commits into from

Conversation

Copy link
Contributor

Copilot AI commented Jun 16, 2025
edited
Loading

The downloadFileFromUrl function in vscode/npm-package/install.ts was vulnerable to infinite redirect loops, which could cause memory exhaustion, CPU exhaustion, and potential denial-of-service attacks. The function recursively followed HTTP redirects without any limit, making it susceptible to redirect loops.

Changes Made

Core Fix

  • Added maxRedirects parameter with a default value of 10 to limit the number of redirects
  • Added redirectCount parameter to track the current number of redirects in the chain
  • Added validation to reject requests when the redirect limit is exceeded
  • Enhanced error handling for both network errors and file system errors

Before

function downloadFileFromUrl(url: string, destinationPath: string): Promise<void> {
  return new Promise((resolve) => {
    https.get(url, (response: any) => {
      if (response.statusCode && response.statusCode >= 300 && response.statusCode < 400 && response.headers.location) {
        resolve(downloadFileFromUrl(response.headers.location, destinationPath));
      } else {
        // ... file writing logic
      }
    });
  });
}

After

function downloadFileFromUrl(url: string, destinationPath: string, maxRedirects: number = 10, redirectCount: number = 0): Promise<void> {
  return new Promise((resolve, reject) => {
    https.get(url, (response: any) => {
      if (response.statusCode && response.statusCode >= 300 && response.statusCode < 400 && response.headers.location) {
        if (redirectCount >= maxRedirects) {
          reject(new Error(`Too many redirects. Maximum of ${maxRedirects} redirects allowed.`));
          return;
        }
        resolve(downloadFileFromUrl(response.headers.location, destinationPath, maxRedirects, redirectCount + 1));
      } else {
        // ... file writing logic with error handling
      }
    }).on('error', (error: Error) => {
      reject(error);
    });
  });
}

Protection Against

  • Infinite redirect loops: Prevents stack overflow and memory exhaustion
  • CPU exhaustion: Limits computational resources consumed by redirect chains
  • Denial-of-service attacks: Protects against malicious servers that return redirect loops

Backward Compatibility

  • Existing code continues to work unchanged due to default parameter values
  • The change is completely transparent to existing callers

Testing

  • Added comprehensive unit tests to verify redirect limit enforcement
  • Tests cover successful downloads, limited redirects, and infinite redirect scenarios
  • Build passes with no TypeScript compilation errors
  • Linting passes with no new style issues

Fixes #6293.

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

Copilot AI changed the title [WIP] Guard for situations with infinite redirections by using a counter. Guard against infinite redirections in downloadFileFromUrl with redirect counter Jun 16, 2025
Copilot AI requested a review from baywet June 16, 2025 19:01
baywet
baywet requested changes Jun 17, 2025
View reviewed changes
@baywet baywet marked this pull request as ready for review June 17, 2025 14:33
@baywet baywet requested a review from a team as a code owner June 17, 2025 14:33
@baywet baywet enabled auto-merge June 17, 2025 14:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@baywet baywet baywet approved these changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

@baywet baywet

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Guard for situations with infinite redirections by using a counter.

2 participants

@baywet