Redirect App in private proxy mode reveals the user's password in plain to the target application

[kuba-orlik]

Describe the bug

When you use the Redirect app to proxy to some remote application, that remote application gets to know the password of the currently logged-in user.

Context

• Hardware: VPS bought online
• YunoHost version: 11.1.15
• I have access to my server: Through SSH
• Are you in a special context or did you perform some particular tweaking on your YunoHost instance?: no
• Using version: 1.0.2~ynh1

Steps to reproduce

1. Install the application, redirecting it to for example the local port under http://127.0.0.1:8080, setting it as private proxy
2. open netcat to see the traffic incoming to the application by running nc -l -p 8080 on the server
3. visit the URL for the app created in step 1 and log in with your yunohost credentials
4. Look at the nc output

Expected behavior

The output should not contain the user's SSO password

Actual behavior

The output include various pieces of information about the user, including their SSO password, unencrypted:

# nc -l -p 8081
GET / HTTP/1.1
Host: <redacted>
X-Real-IP: <redacted>
X-Forwarded-Proto: https
X-Forwarded-For: 
X-Forwarded-Host: <redacted>
X-Forwarded-Port: 443
Connection: upgrade
user-agent: <redacted>
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
accept-language: en
referer: <redacted>
dnt: 1
upgrade-insecure-requests: 1
sec-fetch-dest: document
sec-fetch-mode: navigate
sec-fetch-site: same-site
sec-fetch-user: ?1
cookie: SSOwAuthUser=kuba; SSOwAuthHash=<redacted>; SSOwAuthExpire=<redacted>
Authorization: Basic <redacted !!! here's the password in base64>
Remote-User: <redacted>
Email: <redacted !! user email>
Name: <redacted !! full user name>
Auth-User: <redacted !! username>