Merge branch 'master' into deletePending

Author: beyondkmp

.changeset/brown-boxes-know.md

@@ -0,0 +1,5 @@
+---
+"app-builder-lib": patch
+---
+
+fix: add quotation marks around variable in AppArmor profile

.changeset/lovely-moose-worry.md

@@ -0,0 +1,17 @@
+---
+"builder-util-runtime": minor
+---
+
+fix: implement industry-standard cross-origin redirect auth handling
+
+Replace hardcoded service-specific hostname checks with sophisticated cross-origin redirect detection that matches industry standards from Python requests library and Apache HttpClient.
+
+**Key improvements:**
+- **Case-insensitive hostname comparison** for robust origin detection
+- **HTTP→HTTPS upgrade allowance** on standard ports (80→443) for backward compatibility
+- **Proper default port handling** that treats implicit and explicit default ports as equivalent
+- **Standards-compliant cross-origin detection** following RFC specifications
+
+**Fixes GitHub issue #9207:** GitHub release asset downloads failing with 403 Forbidden when redirected from `api.github.com` to `release-assets.githubusercontent.com` (Azure backend) or other cloud storage services that don't accept GitHub tokens.
+
+The implementation now handles all cross-origin redirect scenarios while maintaining compatibility with legitimate same-origin redirects and industry-standard HTTP→HTTPS upgrades.

.changeset/rotten-bags-carry.md

@@ -0,0 +1,5 @@
+---
+"electron-builder": patch
+---
+
+fix: fix argument names mismatch in publish command to make it work

.changeset/selfish-trees-begin.md

@@ -0,0 +1,5 @@
+---
+"app-builder-lib": patch
+---
+
+fix(nsis): Fix file associations according to the Windows documentation

.changeset/shaggy-garlics-joke.md

@@ -0,0 +1,5 @@
+---
+"builder-util": patch
+---
+
+fix: scrubbing more aggressively anything in the logs that MIGHT be password affiliated (handling spaces in secrets)

.changeset/sixty-mice-accept.md

@@ -0,0 +1,5 @@
+---
+
+---
+
+fix(deps): update dependency form-data to v4.0.4 [security]

.github/workflows/test.yaml

@@ -67,7 +67,7 @@ jobs:
       fail-fast: false
       matrix:
         testFiles:
-          - ArtifactPublisherTest,BuildTest,ExtraBuildTest,RepoSlugTest,binDownloadTest,configurationValidationTest,filenameUtilTest,filesTest,globTest,ignoreTest,macroExpanderTest,mainEntryTest,urlUtilTest,extraMetadataTest,linuxArchiveTest,linuxPackagerTest,HoistedNodeModuleTest,MemoLazyTest,HoistTest,ExtraBuildResourcesTest
+          - ArtifactPublisherTest,BuildTest,ExtraBuildTest,RepoSlugTest,binDownloadTest,configurationValidationTest,filenameUtilTest,filesTest,globTest,httpExecutorTest,ignoreTest,macroExpanderTest,mainEntryTest,urlUtilTest,extraMetadataTest,linuxArchiveTest,linuxPackagerTest,HoistedNodeModuleTest,MemoLazyTest,HoistTest,ExtraBuildResourcesTest,utilTest
           - snapTest,debTest,fpmTest,protonTest
           - winPackagerTest,winCodeSignTest,webInstallerTest
           - oneClickInstallerTest,assistedInstallerTest

packages/app-builder-lib/templates/linux/apparmor-profile.tpl

@@ -1,7 +1,7 @@
 abi <abi/4.0>,
 include <tunables/global>
 
-profile ${executable} "/opt/${sanitizedProductName}/${executable}" flags=(unconfined) {
+profile "${executable}" "/opt/${sanitizedProductName}/${executable}" flags=(unconfined) {
   userns,
 
   # Site-specific additions and overrides. See local/README for details.

packages/app-builder-lib/templates/nsis/include/FileAssociation.nsh

@@ -63,11 +63,8 @@
 ;
 
 !macro APP_ASSOCIATE EXT FILECLASS DESCRIPTION ICON COMMANDTEXT COMMAND
-  ; Backup the previously associated file class
-  ReadRegStr $R0 SHELL_CONTEXT "Software\Classes\.${EXT}" ""
-  WriteRegStr SHELL_CONTEXT "Software\Classes\.${EXT}" "${FILECLASS}_backup" "$R0"
-
   WriteRegStr SHELL_CONTEXT "Software\Classes\.${EXT}" "" "${FILECLASS}"
+  WriteRegNone SHELL_CONTEXT "Software\Classes\.${EXT}\OpenWithProgids" "${FILECLASS}"
 
   WriteRegStr SHELL_CONTEXT "Software\Classes\${FILECLASS}" "" `${DESCRIPTION}`
   WriteRegStr SHELL_CONTEXT "Software\Classes\${FILECLASS}\DefaultIcon" "" `${ICON}`
@@ -77,11 +74,8 @@
 !macroend
 
 !macro APP_ASSOCIATE_EX EXT FILECLASS DESCRIPTION ICON VERB DEFAULTVERB SHELLNEW COMMANDTEXT COMMAND
-  ; Backup the previously associated file class
-  ReadRegStr $R0 SHELL_CONTEXT "Software\Classes\.${EXT}" ""
-  WriteRegStr SHELL_CONTEXT "Software\Classes\.${EXT}" "${FILECLASS}_backup" "$R0"
-
   WriteRegStr SHELL_CONTEXT "Software\Classes\.${EXT}" "" "${FILECLASS}"
+  WriteRegNone SHELL_CONTEXT "Software\Classes\.${EXT}\OpenWithProgids" "${FILECLASS}"
   StrCmp "${SHELLNEW}" "0" +2
   WriteRegStr SHELL_CONTEXT "Software\Classes\.${EXT}\ShellNew" "NullFile" ""
 
@@ -103,10 +97,7 @@
 
 
 !macro APP_UNASSOCIATE EXT FILECLASS
-  ; Backup the previously associated file class
-  ReadRegStr $R0 SHELL_CONTEXT "Software\Classes\.${EXT}" `${FILECLASS}_backup`
-  WriteRegStr SHELL_CONTEXT "Software\Classes\.${EXT}" "" "$R0"
-
+  DeleteRegValue SHELL_CONTEXT "Software\Classes\.${EXT}\OpenWithProgids" "${FILECLASS}"
   DeleteRegKey SHELL_CONTEXT `Software\Classes\${FILECLASS}`
 !macroend
 
@@ -129,4 +120,4 @@
 ; Using the system.dll plugin to call the SHChangeNotify Win32 API function so we
 ; can update the shell.
   System::Call "shell32::SHChangeNotify(i,i,i,i) (${SHCNE_ASSOCCHANGED}, ${SHCNF_FLUSH}, 0, 0)"
-!macroend
+!macroend

packages/builder-util-runtime/src/httpExecutor.ts

@@ -319,14 +319,69 @@ Please double check that your authentication token is correct. Due to security r
     const newOptions = configureRequestOptionsFromUrl(redirectUrl, { ...options })
     const headers = newOptions.headers
     if (headers?.authorization) {
-      const parsedNewUrl = parseUrl(redirectUrl, options)
-      if (parsedNewUrl.hostname.endsWith(".amazonaws.com") || parsedNewUrl.searchParams.has("X-Amz-Credential")) {
+      // Parse original and redirect URLs to compare origins
+      const originalUrl = HttpExecutor.reconstructOriginalUrl(options)
+      const parsedRedirectUrl = parseUrl(redirectUrl, options)
+
+      // Strip authorization header on cross-origin redirects (different protocol, hostname, or port)
+      if (HttpExecutor.isCrossOriginRedirect(originalUrl, parsedRedirectUrl)) {
+        if (debug.enabled) {
+          debug(`Given the cross-origin redirect (from ${originalUrl.host} to ${parsedRedirectUrl.host}), the Authorization header will be stripped out.`)
+        }
         delete headers.authorization
       }
     }
     return newOptions
   }
 
+  private static reconstructOriginalUrl(options: RequestOptions): URL {
+    const protocol = options.protocol || "https:"
+    if (!options.hostname) {
+      throw new Error("Missing hostname in request options")
+    }
+    const hostname = options.hostname
+    const port = options.port ? `:${options.port}` : ""
+    const path = options.path || "/"
+    return new URL(`${protocol}//${hostname}${port}${path}`)
+  }
+
+  private static isCrossOriginRedirect(originalUrl: URL, redirectUrl: URL): boolean {
+    // Case-insensitive hostname comparison
+    if (originalUrl.hostname.toLowerCase() !== redirectUrl.hostname.toLowerCase()) {
+      return true
+    }
+
+    // Special case: allow http -> https redirect on same host with standard ports
+    // This matches the behavior of Python requests library for backward compatibility
+    // url.port returns an empty string if the port is omitted
+    // or explicitly set to the default port for a given protocol. 
+    if (
+      originalUrl.protocol === "http:" &&
+      // This can be replaced with `!originalUrl.port`, but for the sake of clarity.
+      ["80", ""].includes(originalUrl.port) &&
+      redirectUrl.protocol === "https:" &&
+      // This can be replaced with `!redirectUrl.port`, but for the sake of clarity.
+      ["443", ""].includes(redirectUrl.port)
+    ) {
+      return false
+    }
+
+    // According to RFC 7235, a change in protocol or port constitutes a cross-origin request.
+    // Forwarding authentication headers to a different origin can be a security risk.
+    // For example, https://example.com:443 and http://example.com:80 are different origins.
+    // We only make an exception for HTTP -> HTTPS upgrades on standard ports for backward compatibility.
+
+    // Strip auth on any other protocol change
+    if (originalUrl.protocol !== redirectUrl.protocol) {
+      return true
+    }
+
+    // Strip auth on port change (accounting for default ports)
+    const originalPort = originalUrl.port
+    const redirectPort = redirectUrl.port
+    return originalPort !== redirectPort
+  }
+
   static retryOnServerError(task: () => Promise<any>, maxRetries = 3) {
     for (let attemptNumber = 0; ; attemptNumber++) {
       try {