didericis/bot-bottle
1
0
Fork 0
Code Issues 5 Pull Requests 3 Actions Packages Projects Releases Wiki Activity

egress: require opt-in for HTTPS git fetch
test / unit (pull_request) Successful in 42s
Details
test / integration (pull_request) Successful in 27s
Details
lint / lint (push) Successful in 1m53s
Details
test / unit (push) Successful in 41s
Details
test / integration (push) Successful in 23s
Details
Update Quality Badges / update-badges (push) Successful in 1m35s
Details

Browse Source
This commit was merged in pull request #227.
This commit is contained in:
didericis (codex)
2026-06-10 07:00:01 +00:00
parent acb9cd67c6
commit 3f04567290
8 changed files with 240 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
bot_bottle/egress_addon.py
+14
View File
@@ -21,6 +21,8 @@ from egress_addon_core import ( # type: ignore[import-not-found] # pylint: dis
build_inbound_scan_text,
build_outbound_scan_text,
decide,
decide_git_fetch,
is_git_fetch_request,
is_git_push_request,
load_config,
match_route,
@@ -181,6 +183,18 @@ class EgressAddon:
)
return
if is_git_fetch_request(request_path, query):
git_decision = decide_git_fetch(
self.config.routes, flow.request.pretty_host,
)
if git_decision.action == "block":
self._block(
flow,
git_decision.reason,
ctx=self._req_ctx(flow),
)
return
# Strip agent-set Authorization after DLP scan so smuggled tokens
# are caught above; the route may inject sidecar-owned auth below.
flow.request.headers.pop("authorization", None)