← Back to PRs

#14847: fix(slack): preserve auth across Slack-hosted file redirects

by natashache open 2026-02-12 18:15 View on GitHub →
channel: slack stale size: S
Cluster: Slack Media Handling Fixes
## Summary - keep `Authorization: Bearer ...` on every request to Slack-owned hosts (`*.slack.com`, `*.slack-edge.com`, `*.slack-files.com`) during media fetches - explicitly strip `Authorization` for non-Slack hosts to avoid token leakage - skip saving payloads that look like Slack login HTML pages (`text/html` content-type or HTML body prefix) ## Why Slack file URLs can redirect through multiple Slack-hosted endpoints before reaching media bytes. Previously auth was only sent on the first request, so later Slack hops could return sign-in HTML that got saved as media (for example as `.png`). ## Tests - `corepack pnpm vitest run src/slack/monitor/media.test.ts` - added test: keeps Authorization header for Slack-hosted redirect hops - added test: skips HTML login payloads instead of saving as media <!-- greptile_comment --> <h2>Greptile Overview</h2> <h3>Greptile Summary</h3> This PR updates Slack media fetching to preserve `Authorization: Bearer <token>` across redirect hops that stay on Slack-owned HTTPS hostnames, while explicitly stripping `Authorization` on non-Slack hosts to avoid token leakage. It also adds a guard in `resolveSlackMedia` to skip saving responses that look like Slack login HTML (via `text/html` content-type or a `<!doctype html` / `<html` body prefix), preventing accidental persistence of login pages as media. The accompanying tests extend `src/slack/monitor/media.test.ts` to cover Slack-hosted redirect hops retaining auth headers and to verify HTML/login payloads are ignored rather than saved. <h3>Confidence Score: 5/5</h3> - This PR is safe to merge with minimal risk. - Changes are narrowly scoped to Slack media fetching, preserve SSRF-guarded redirect handling, and add tests covering the new auth/HTML-skip behavior. No regressions or unsafe token propagation were found in the updated fetch wrapper logic. - No files require special attention <!-- greptile_other_comments_section --> <sub>(2/5) Greptile learns from your feedback when you react with thumbs up/down!</sub> <!-- /greptile_comment -->

Most Similar PRs

#18763: fix(slack): add auth header when downloading forwarded attachment i...
by amabito · 2026-02-17
86.0%
#4665: fix(slack): reject HTML responses when downloading media
by tumf · 2026-01-30
83.8%
#22942: fix(slack): parse generic attachment text for inbound events
by danielalkurdi · 2026-02-21
82.8%
#15095: fix(slack): process all file attachments instead of only the first
by Lar000ki · 2026-02-13
82.0%
#16990: fix(media): strip auth headers on cross-origin redirect in download...
by AI-Reviewer-QS · 2026-02-15
81.5%
#20479: fix(slack): keep replies flowing for oversized file uploads
by olyashok · 2026-02-19
80.6%
#8684: fix(slack): add title param and channel resolution for file upload
by shuans · 2026-02-04
80.2%
#6916: fix(slack): add timeout to file download to prevent DoS (CWE-400)
by hclsys · 2026-02-02
79.5%
#9166: Fix: Use userToken for Slack file downloads
by vishaltandale00 · 2026-02-04
78.9%
#19430: Slack: infer bare user targets before media upload
by gg2uah · 2026-02-17
77.6%