Release 2.14.5: Security fixes and dependency upgrades

Security:
- Backport GHSA-cmxv-58fp-fm3g: strip Authorization and Proxy-Authorization
  headers on cross-origin, scheme-downgrade, or port-mismatch redirects.
- Add stripAuthorizationOnRedirect config flag (default false) for users
  who need to always strip credentials even on same-origin redirects.
- Clear realm and proxyRealm on future when stripping to prevent
  NettyRequestFactory from regenerating auth headers on redirect.

Tests:
- New RedirectCredentialSecurityTest for cross-origin redirect scenarios.
- New HttpsDowngradeRedirectTest for HTTPS-to-HTTP scheme downgrade.
- New StripAuthorizationOnRedirectHttpTest for the new config flag.
- New DefaultAsyncHttpClientConfigTest for config default coverage.

Dependencies:
- netty 4.1.65.Final -> 4.1.121.Final (CVE fixes)
- slf4j 1.7.30 -> 1.7.36
- netty-reactive-streams 2.0.4 -> 2.0.17
- rxjava2 2.2.10 -> 2.2.21
- logback 1.2.3 -> 1.2.13
- testng 7.1.0 -> 7.5.1 (last Java 8 compatible)
- commons-io 2.6 -> 2.21.0
- commons-fileupload 1.4 -> 1.6.0
- hamcrest-core -> hamcrest 2.2
- jetty pinned at 9.4.18.v20190429 (9.4.58 changes 401 socket behavior)
- tomcat pinned at 9.0.31 (9.0.117 changes WebDAV response format)

CI:
- Add release.yml workflow for Maven Central publishing.
- Update maven.yml to trigger on 2.14.5 branch with Corretto JDK 8.

Test fixes:
- InputStreamTest.available() now honors InputStream contract by
  returning 0 after EOF (Netty 4.1.65+ correctly rejects always-1).
- CookieStoreTest replaces Guava Sets.newHashSet with HashSet
  (TestNG 7.5+ no longer pulls transitive Guava).
- TestUtils uses SslContextFactory.Server (base class deprecated).

Author: hyperxpro

.github/workflows/maven.yml

@@ -5,16 +5,19 @@ name: Test PR
 
 on:
   pull_request:
-    branches: [ master ]
+    branches: [ master, 2.14.5 ]
+  push:
+    branches: [ 2.14.5 ]
 
 jobs:
   build:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2
-    - name: Set up JDK 1.8
-      uses: actions/setup-java@v1
+    - uses: actions/checkout@v6
+    - name: Set up JDK 8
+      uses: actions/setup-java@v5
       with:
-        java-version: 1.8
+        java-version: 8
+        distribution: 'corretto'
     - name: Build and test with Maven
-      run: mvn test -Ptest-output
+      run: mvn test -ntp -B -Ptest-output

.github/workflows/release.yml

@@ -0,0 +1,68 @@
+name: Release 2.x
+
+on:
+  push:
+    branches:
+      - 2.14.5
+
+  workflow_dispatch:
+    inputs:
+      snapshot:
+        description: 'Deploy SNAPSHOT'
+        type: boolean
+        default: false
+
+permissions:
+  contents: read
+
+jobs:
+
+  deploy:
+    if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+
+      - uses: actions/setup-java@v5
+        with:
+          distribution: 'corretto'
+          java-version: '8'
+
+      - name: Validate SNAPSHOT version
+        if: inputs.snapshot == true
+        run: |
+          VERSION=$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout)
+          if [[ "$VERSION" != *-SNAPSHOT ]]; then
+            echo "::error::Version $VERSION is not a SNAPSHOT version"
+            exit 1
+          fi
+
+      - name: Remove old Maven Settings
+        run: rm -f /home/runner/.m2/settings.xml
+
+      - name: Maven Settings
+        uses: s4u/maven-settings-action@v4.0.0
+        with:
+          servers: |
+            [{
+              "id": "sonatype-nexus-staging",
+              "username": "${{ secrets.OSSRH_USERNAME }}",
+              "password": "${{ secrets.OSSRH_PASSWORD }}"
+            },
+            {
+              "id": "ossrh",
+              "username": "${{ secrets.OSSRH_USERNAME }}",
+              "password": "${{ secrets.OSSRH_PASSWORD }}"
+            }]
+
+      - name: Import GPG
+        uses: crazy-max/ghaction-import-gpg@v7.0.0
+        with:
+          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
+          passphrase: ${{ secrets.GPG_PASSPHRASE }}
+
+      - name: Deploy
+        env:
+            GPG_KEY_NAME: ${{ secrets.GPG_KEY_NAME }}
+            GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
+        run: mvn -B -ntp deploy -DskipTests -Dgpg.keyname=${GPG_KEY_NAME} -Dgpg.passphrase=${GPG_PASSPHRASE}

bom/pom.xml

@@ -5,7 +5,7 @@
     <parent>
         <groupId>org.asynchttpclient</groupId>
         <artifactId>async-http-client-project</artifactId>
-        <version>2.12.4</version>
+        <version>2.14.5</version>
     </parent>
 
     <artifactId>async-http-client-bom</artifactId>

client/pom.xml

@@ -2,7 +2,7 @@
   <parent>
     <groupId>org.asynchttpclient</groupId>
     <artifactId>async-http-client-project</artifactId>
-    <version>2.12.4</version>
+    <version>2.14.5</version>
   </parent>
   <modelVersion>4.0.0</modelVersion>
   <artifactId>async-http-client</artifactId>

client/src/main/java/org/asynchttpclient/AsyncHttpClientConfig.java

@@ -347,6 +347,15 @@ public interface AsyncHttpClientConfig {
 
   int getIoThreadsCount();
 
+  /**
+   * Indicates whether the Authorization header should be stripped during redirects to a different domain.
+   *
+   * @return true if the Authorization header should be stripped, false otherwise.
+   */
+  default boolean isStripAuthorizationOnRedirect() {
+    return false;
+  }
+
   enum ResponseBodyPartFactory {
 
     EAGER {

client/src/main/java/org/asynchttpclient/DefaultAsyncHttpClientConfig.java

@@ -63,6 +63,7 @@ public class DefaultAsyncHttpClientConfig implements AsyncHttpClientConfig {
   private final boolean keepEncodingHeader;
   private final ProxyServerSelector proxyServerSelector;
   private final boolean validateResponseHeaders;
+  private final boolean stripAuthorizationOnRedirect;
 
   // websockets
   private final boolean aggregateWebSocketFrameFragments;
@@ -153,6 +154,7 @@ private DefaultAsyncHttpClientConfig(// http
                                        boolean validateResponseHeaders,
                                        boolean aggregateWebSocketFrameFragments,
                                        boolean enablewebSocketCompression,
+                                       boolean stripAuthorizationOnRedirect,
 
                                        // timeouts
                                        int connectTimeout,
@@ -239,6 +241,7 @@ private DefaultAsyncHttpClientConfig(// http
     this.keepEncodingHeader = keepEncodingHeader;
     this.proxyServerSelector = proxyServerSelector;
     this.validateResponseHeaders = validateResponseHeaders;
+    this.stripAuthorizationOnRedirect = stripAuthorizationOnRedirect;
 
     // websocket
     this.aggregateWebSocketFrameFragments = aggregateWebSocketFrameFragments;
@@ -483,6 +486,11 @@ public boolean isValidateResponseHeaders() {
     return validateResponseHeaders;
   }
 
+  @Override
+  public boolean isStripAuthorizationOnRedirect() {
+    return stripAuthorizationOnRedirect;
+  }
+
   // ssl
   @Override
   public boolean isUseOpenSsl() {
@@ -713,6 +721,7 @@ public static class Builder {
     private boolean useProxySelector = defaultUseProxySelector();
     private boolean useProxyProperties = defaultUseProxyProperties();
     private boolean validateResponseHeaders = defaultValidateResponseHeaders();
+    private boolean stripAuthorizationOnRedirect = false; // default value
 
     // websocket
     private boolean aggregateWebSocketFrameFragments = defaultAggregateWebSocketFrameFragments();
@@ -801,6 +810,7 @@ public Builder(AsyncHttpClientConfig config) {
       disableZeroCopy = config.isDisableZeroCopy();
       keepEncodingHeader = config.isKeepEncodingHeader();
       proxyServerSelector = config.getProxyServerSelector();
+      stripAuthorizationOnRedirect = config.isStripAuthorizationOnRedirect();
 
       // websocket
       aggregateWebSocketFrameFragments = config.isAggregateWebSocketFrameFragments();
@@ -935,6 +945,11 @@ public Builder setProxyServerSelector(ProxyServerSelector proxyServerSelector) {
       return this;
     }
 
+    public Builder setStripAuthorizationOnRedirect(boolean value) {
+      this.stripAuthorizationOnRedirect = value;
+      return this;
+    }
+
     public Builder setValidateResponseHeaders(boolean validateResponseHeaders) {
       this.validateResponseHeaders = validateResponseHeaders;
       return this;
@@ -1314,6 +1329,7 @@ public DefaultAsyncHttpClientConfig build() {
               validateResponseHeaders,
               aggregateWebSocketFrameFragments,
               enablewebSocketCompression,
+              stripAuthorizationOnRedirect,
               connectTimeout,
               requestTimeout,
               readTimeout,

client/src/main/java/org/asynchttpclient/netty/handler/intercept/Redirect30xInterceptor.java

@@ -62,11 +62,13 @@ public class Redirect30xInterceptor {
   private final AsyncHttpClientConfig config;
   private final NettyRequestSender requestSender;
   private final MaxRedirectException maxRedirectException;
+  private final boolean stripAuthorizationOnRedirect;
 
   Redirect30xInterceptor(ChannelManager channelManager, AsyncHttpClientConfig config, NettyRequestSender requestSender) {
     this.channelManager = channelManager;
     this.config = config;
     this.requestSender = requestSender;
+    this.stripAuthorizationOnRedirect = config.isStripAuthorizationOnRedirect();
     maxRedirectException = unknownStackTrace(new MaxRedirectException("Maximum redirect reached: " + config.getMaxRedirects()), Redirect30xInterceptor.class,
             "exitAfterHandlingRedirect");
   }
@@ -92,15 +94,35 @@ public boolean exitAfterHandlingRedirect(Channel channel,
                 && !originalMethod.equals(OPTIONS) && !originalMethod.equals(HEAD) && (statusCode == MOVED_PERMANENTLY_301 || statusCode == SEE_OTHER_303 || (statusCode == FOUND_302 && !config.isStrict302Handling()));
         boolean keepBody = statusCode == TEMPORARY_REDIRECT_307 || statusCode == PERMANENT_REDIRECT_308 || (statusCode == FOUND_302 && config.isStrict302Handling());
 
+        HttpHeaders responseHeaders = response.headers();
+        String location = responseHeaders.get(LOCATION);
+        Uri newUri = Uri.create(future.getUri(), location);
+        LOGGER.debug("Redirecting to {}", newUri);
+
+        boolean sameBase = request.getUri().isSameBase(newUri);
+        boolean schemeDowngrade = request.getUri().isSecured() && !newUri.isSecured();
+        boolean stripAuth = !sameBase || schemeDowngrade || stripAuthorizationOnRedirect;
+
+        if (stripAuth && (request.getRealm() != null || request.getHeaders().contains(AUTHORIZATION))) {
+          LOGGER.debug("Stripping credentials on redirect to {}", newUri);
+        }
+
         final RequestBuilder requestBuilder = new RequestBuilder(switchToGet ? GET : originalMethod)
                 .setChannelPoolPartitioning(request.getChannelPoolPartitioning())
                 .setFollowRedirect(true)
                 .setLocalAddress(request.getLocalAddress())
                 .setNameResolver(request.getNameResolver())
                 .setProxyServer(request.getProxyServer())
-                .setRealm(request.getRealm())
+                .setRealm(stripAuth ? null : request.getRealm())
                 .setRequestTimeout(request.getRequestTimeout());
 
+        if (stripAuth) {
+          // Clear both realms on the future so NettyRequestFactory cannot regenerate
+          // Authorization or Proxy-Authorization headers on the redirected request.
+          future.setRealm(null);
+          future.setProxyRealm(null);
+        }
+
         if (keepBody) {
           requestBuilder.setCharset(request.getCharset());
           if (isNonEmpty(request.getFormParams()))
@@ -118,18 +140,13 @@ else if (isNonEmpty(request.getBodyParts())) {
           }
         }
 
-        requestBuilder.setHeaders(propagatedHeaders(request, realm, keepBody));
+        requestBuilder.setHeaders(propagatedHeaders(request, realm, keepBody, stripAuth));
 
         // in case of a redirect from HTTP to HTTPS, future
         // attributes might change
         final boolean initialConnectionKeepAlive = future.isKeepAlive();
         final Object initialPartitionKey = future.getPartitionKey();
 
-        HttpHeaders responseHeaders = response.headers();
-        String location = responseHeaders.get(LOCATION);
-        Uri newUri = Uri.create(future.getUri(), location);
-        LOGGER.debug("Redirecting to {}", newUri);
-
         CookieStore cookieStore = config.getCookieStore();
         if (cookieStore != null) {
           // Update request's cookies assuming that cookie store is already updated by Interceptors
@@ -140,8 +157,6 @@ else if (isNonEmpty(request.getBodyParts())) {
             }
         }
 
-        boolean sameBase = request.getUri().isSameBase(newUri);
-
         if (sameBase) {
           // we can only assume the virtual host is still valid if the baseUrl is the same
           requestBuilder.setVirtualHost(request.getVirtualHost());
@@ -174,7 +189,7 @@ else if (isNonEmpty(request.getBodyParts())) {
     return false;
   }
 
-  private HttpHeaders propagatedHeaders(Request request, Realm realm, boolean keepBody) {
+  private HttpHeaders propagatedHeaders(Request request, Realm realm, boolean keepBody, boolean stripAuthorization) {
 
     HttpHeaders headers = request.getHeaders()
             .remove(HOST)
@@ -184,7 +199,7 @@ private HttpHeaders propagatedHeaders(Request request, Realm realm, boolean keep
       headers.remove(CONTENT_TYPE);
     }
 
-    if (realm != null && realm.getScheme() == AuthScheme.NTLM) {
+    if (stripAuthorization || (realm != null && realm.getScheme() == AuthScheme.NTLM)) {
       headers.remove(AUTHORIZATION)
               .remove(PROXY_AUTHORIZATION);
     }

client/src/test/java/org/asynchttpclient/CookieStoreTest.java

@@ -28,14 +28,14 @@
 import org.testng.annotations.BeforeClass;
 import org.testng.annotations.Test;
 
+import java.util.Arrays;
 import java.util.Collection;
+import java.util.HashSet;
 import java.util.List;
 import java.util.stream.Collectors;
 
 import static org.testng.Assert.assertTrue;
 
-import com.google.common.collect.Sets;
-
 public class CookieStoreTest {
 
   private final Logger logger = LoggerFactory.getLogger(getClass());
@@ -359,7 +359,7 @@ private void shouldCleanExpiredCookieFromUnderlyingDataStructure() throws Except
     store.evictExpired();
     assertTrue(store.getUnderlying().size() == 2);
     Collection<String> unexpiredCookieNames = store.getAll().stream().map(Cookie::name).collect(Collectors.toList());
-    assertTrue(unexpiredCookieNames.containsAll(Sets.newHashSet("UNEXPIRED_BAR", "UNEXPIRED_FOOBAR")));
+    assertTrue(unexpiredCookieNames.containsAll(new HashSet<>(Arrays.asList("UNEXPIRED_BAR", "UNEXPIRED_FOOBAR"))));
   }
 
   private static Cookie getCookie(String key, String value, int maxAge) {

client/src/test/java/org/asynchttpclient/DefaultAsyncHttpClientConfigTest.java

@@ -0,0 +1,46 @@
+/*
+ *    Copyright (c) 2015-2026 AsyncHttpClient Project. All rights reserved.
+ *
+ *    Licensed under the Apache License, Version 2.0 (the "License");
+ *    you may not use this file except in compliance with the License.
+ *    You may obtain a copy of the License at
+ *
+ *        http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS,
+ *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *    See the License for the specific language governing permissions and
+ *    limitations under the License.
+ */
+package org.asynchttpclient;
+
+import org.testng.annotations.Test;
+
+import static org.testng.Assert.assertFalse;
+import static org.testng.Assert.assertTrue;
+
+public class DefaultAsyncHttpClientConfigTest {
+
+  @Test
+  public void testStripAuthorizationOnRedirect_DefaultIsFalse() {
+    DefaultAsyncHttpClientConfig config = new DefaultAsyncHttpClientConfig.Builder().build();
+    assertFalse(config.isStripAuthorizationOnRedirect(), "Default should be false");
+  }
+
+  @Test
+  public void testStripAuthorizationOnRedirect_SetTrue() {
+    DefaultAsyncHttpClientConfig config = new DefaultAsyncHttpClientConfig.Builder()
+            .setStripAuthorizationOnRedirect(true)
+            .build();
+    assertTrue(config.isStripAuthorizationOnRedirect(), "Should be true when set");
+  }
+
+  @Test
+  public void testStripAuthorizationOnRedirect_SetFalse() {
+    DefaultAsyncHttpClientConfig config = new DefaultAsyncHttpClientConfig.Builder()
+            .setStripAuthorizationOnRedirect(false)
+            .build();
+    assertFalse(config.isStripAuthorizationOnRedirect(), "Should be false when set to false");
+  }
+}