Fix properly treating different UNIX socket paths as different origins

sindresorhus · sindresorhus · commit e5659d401a4a · 2025-10-13T00:01:56.000+09:00
Fixes #2069
diff --git a/source/core/index.ts b/source/core/index.ts
@@ -32,7 +32,7 @@ import Options, {
 } from './options.js';
 import {isResponseOk, type PlainResponse, type Response} from './response.js';
 import isClientRequest from './utils/is-client-request.js';
-import isUnixSocketURL from './utils/is-unix-socket-url.js';
+import isUnixSocketURL, {getUnixSocketPath} from './utils/is-unix-socket-url.js';
 import {
 	RequestError,
 	ReadError,
@@ -831,7 +831,12 @@ export default class Request extends Duplex implements RequestEvents<Request> {
 					}
 
 					// Redirecting to a different site, clear sensitive data.
-					if (redirectUrl.hostname !== (url as URL).hostname || redirectUrl.port !== (url as URL).port) {
+					// For UNIX sockets, different socket paths are also different origins.
+					const isDifferentOrigin = redirectUrl.hostname !== (url as URL).hostname
+						|| redirectUrl.port !== (url as URL).port
+						|| getUnixSocketPath(url as URL) !== getUnixSocketPath(redirectUrl);
+
+					if (isDifferentOrigin) {
 						if ('host' in updatedOptions.headers) {
 							delete updatedOptions.headers.host;
 						}
diff --git a/source/core/utils/is-unix-socket-url.ts b/source/core/utils/is-unix-socket-url.ts
@@ -2,3 +2,26 @@
 export default function isUnixSocketURL(url: URL) {
 	return url.protocol === 'unix:' || url.hostname === 'unix';
 }
+
+/**
+Extract the socket path from a UNIX socket URL.
+
+@example
+```
+getUnixSocketPath(new URL('http://unix/foo:/path'));
+//=> '/foo'
+
+getUnixSocketPath(new URL('unix:/foo:/path'));
+//=> '/foo'
+
+getUnixSocketPath(new URL('http://example.com'));
+//=> undefined
+```
+*/
+export function getUnixSocketPath(url: URL): string | undefined {
+	if (!isUnixSocketURL(url)) {
+		return undefined;
+	}
+
+	return /(?<socketPath>.+?):(?<path>.+)/.exec(`${url.pathname}${url.search}`)?.groups?.socketPath;
+}
diff --git a/test/get-unix-socket-path.ts b/test/get-unix-socket-path.ts
@@ -0,0 +1,36 @@
+import test from 'ava';
+import {getUnixSocketPath} from '../source/core/utils/is-unix-socket-url.js';
+
+test('returns socket path for unix: protocol URLs', t => {
+	const url = new URL('unix:/foo/bar.sock:/path');
+	t.is(getUnixSocketPath(url), '/foo/bar.sock');
+});
+
+test('returns socket path for http://unix URLs', t => {
+	const url = new URL('http://unix/foo/bar.sock:/path');
+	t.is(getUnixSocketPath(url), '/foo/bar.sock');
+});
+
+test('returns different socket paths for different sockets', t => {
+	const url1 = new URL('http://unix/tmp/socket1:/path');
+	const url2 = new URL('http://unix/tmp/socket2:/path');
+
+	t.is(getUnixSocketPath(url1), '/tmp/socket1');
+	t.is(getUnixSocketPath(url2), '/tmp/socket2');
+	t.not(getUnixSocketPath(url1), getUnixSocketPath(url2));
+});
+
+test('returns undefined for regular HTTP URLs', t => {
+	const url = new URL('http://example.com/path');
+	t.is(getUnixSocketPath(url), undefined);
+});
+
+test('returns undefined for HTTPS URLs', t => {
+	const url = new URL('https://example.com/path');
+	t.is(getUnixSocketPath(url), undefined);
+});
+
+test('handles socket paths with special characters', t => {
+	const url = new URL('http://unix/tmp/my-app.sock:/api/endpoint');
+	t.is(getUnixSocketPath(url), '/tmp/my-app.sock');
+});
