Summary
In pkg/virtual/builder/edges_proxy_builder.go:107, for the upgrade path (exec/port-forward), the user's original Authorization header is not stripped before the raw request is written to the device connection:
// upgrade path — Authorization NOT stripped before forwarding
if err := r.Write(deviceConn); err != nil { ... }The agent side overwrites it with its own bearer token, so the final credential used is the agent's. However, the user's OIDC token unnecessarily transits the revdial tunnel to the agent's HTTP listener.
Risk
Minor information leakage: user OIDC tokens are forwarded to the agent process unnecessarily. If the agent is compromised or logs request headers, user tokens are exposed.
Recommendation
Strip Authorization header before writing the raw request to the device connection in the upgrade path, matching the behavior of the non-upgrade proxy Director.
Summary
In
pkg/virtual/builder/edges_proxy_builder.go:107, for the upgrade path (exec/port-forward), the user's originalAuthorizationheader is not stripped before the raw request is written to the device connection:The agent side overwrites it with its own bearer token, so the final credential used is the agent's. However, the user's OIDC token unnecessarily transits the revdial tunnel to the agent's HTTP listener.
Risk
Minor information leakage: user OIDC tokens are forwarded to the agent process unnecessarily. If the agent is compromised or logs request headers, user tokens are exposed.
Recommendation
Strip
Authorizationheader before writing the raw request to the device connection in the upgrade path, matching the behavior of the non-upgrade proxy Director.