#14847: fix(slack): preserve auth across Slack-hosted file redirects
channel: slack
stale
size: S
Cluster:
Slack Media Handling Fixes
## Summary
- keep `Authorization: Bearer ...` on every request to Slack-owned hosts (`*.slack.com`, `*.slack-edge.com`, `*.slack-files.com`) during media fetches
- explicitly strip `Authorization` for non-Slack hosts to avoid token leakage
- skip saving payloads that look like Slack login HTML pages (`text/html` content-type or HTML body prefix)
## Why
Slack file URLs can redirect through multiple Slack-hosted endpoints before reaching media bytes. Previously auth was only sent on the first request, so later Slack hops could return sign-in HTML that got saved as media (for example as `.png`).
## Tests
- `corepack pnpm vitest run src/slack/monitor/media.test.ts`
- added test: keeps Authorization header for Slack-hosted redirect hops
- added test: skips HTML login payloads instead of saving as media
<!-- greptile_comment -->
<h2>Greptile Overview</h2>
<h3>Greptile Summary</h3>
This PR updates Slack media fetching to preserve `Authorization: Bearer <token>` across redirect hops that stay on Slack-owned HTTPS hostnames, while explicitly stripping `Authorization` on non-Slack hosts to avoid token leakage. It also adds a guard in `resolveSlackMedia` to skip saving responses that look like Slack login HTML (via `text/html` content-type or a `<!doctype html` / `<html` body prefix), preventing accidental persistence of login pages as media.
The accompanying tests extend `src/slack/monitor/media.test.ts` to cover Slack-hosted redirect hops retaining auth headers and to verify HTML/login payloads are ignored rather than saved.
<h3>Confidence Score: 5/5</h3>
- This PR is safe to merge with minimal risk.
- Changes are narrowly scoped to Slack media fetching, preserve SSRF-guarded redirect handling, and add tests covering the new auth/HTML-skip behavior. No regressions or unsafe token propagation were found in the updated fetch wrapper logic.
- No files require special attention
<!-- greptile_other_comments_section -->
<sub>(2/5) Greptile learns from your feedback when you react with thumbs up/down!</sub>
<!-- /greptile_comment -->
Most Similar PRs
#18763: fix(slack): add auth header when downloading forwarded attachment i...
by amabito · 2026-02-17
86.0%
#4665: fix(slack): reject HTML responses when downloading media
by tumf · 2026-01-30
83.8%
#22942: fix(slack): parse generic attachment text for inbound events
by danielalkurdi · 2026-02-21
82.8%
#15095: fix(slack): process all file attachments instead of only the first
by Lar000ki · 2026-02-13
82.0%
#16990: fix(media): strip auth headers on cross-origin redirect in download...
by AI-Reviewer-QS · 2026-02-15
81.5%
#20479: fix(slack): keep replies flowing for oversized file uploads
by olyashok · 2026-02-19
80.6%
#8684: fix(slack): add title param and channel resolution for file upload
by shuans · 2026-02-04
80.2%
#6916: fix(slack): add timeout to file download to prevent DoS (CWE-400)
by hclsys · 2026-02-02
79.5%
#9166: Fix: Use userToken for Slack file downloads
by vishaltandale00 · 2026-02-04
78.9%
#19430: Slack: infer bare user targets before media upload
by gg2uah · 2026-02-17
77.6%