mirror of
https://github.com/ahmetb/kubectx.git
synced 2026-05-14 19:12:07 +00:00
19d813d567
The isUpgrade() check used exact string match (== "Upgrade") for the Connection header value. A client sending "Connection: upgrade" (lowercase) would bypass this check. While not exploitable in practice (the Upgrade header check catches real upgrades), this hardens the proxy with defense-in-depth. Also adds a comprehensive security test suite covering jailbreak attempts: method override smuggling, path traversal, dryRun parameter injection, upgrade header smuggling, review endpoint spoofing, unusual HTTP methods, concurrent request filtering, and credential leakage. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>