From b889b0191c72845679d24c9faafd8bd167d39c52 Mon Sep 17 00:00:00 2001 From: stffabi Date: Mon, 12 Nov 2018 17:06:04 +0100 Subject: [PATCH] Remove X-Forwarded-Uri and X-Forwarded-Method from untrusted IP --- server/header_rewriter.go | 8 +++++++ server/header_rewriter_test.go | 38 +++++++++++++++++++++++----------- 2 files changed, 34 insertions(+), 12 deletions(-) diff --git a/server/header_rewriter.go b/server/header_rewriter.go index b4b46b2d7..b9ee1dc17 100644 --- a/server/header_rewriter.go +++ b/server/header_rewriter.go @@ -7,6 +7,12 @@ import ( "github.com/containous/traefik/log" "github.com/containous/traefik/whitelist" "github.com/vulcand/oxy/forward" + "github.com/vulcand/oxy/utils" +) + +const ( + xForwardedURI = "X-Forwarded-Uri" + xForwardedMethod = "X-Forwarded-Method" ) // NewHeaderRewriter Create a header rewriter @@ -45,6 +51,8 @@ func (h *headerRewriter) Rewrite(req *http.Request) { err := h.ips.IsAuthorized(req) if err != nil { log.Debug(err) + // Remove additional X-Forwarded Headers which are used by the forward authentication + utils.RemoveHeaders(req.Header, xForwardedURI, xForwardedMethod) h.secureRewriter.Rewrite(req) return } diff --git a/server/header_rewriter_test.go b/server/header_rewriter_test.go index 7e5df3bbf..4e5244e9b 100644 --- a/server/header_rewriter_test.go +++ b/server/header_rewriter_test.go @@ -23,8 +23,10 @@ func TestHeaderRewriter_Rewrite(t *testing.T) { trustedIPs: []string{"10.10.10.10"}, insecure: false, expected: map[string]string{ - "X-Foo": "bar", - "X-Forwarded-For": "30.30.30.30", + "X-Foo": "bar", + "X-Forwarded-For": "30.30.30.30", + "X-Forwarded-Uri": "/bar", + "X-Forwarded-Method": "GET", }, }, { @@ -33,8 +35,10 @@ func TestHeaderRewriter_Rewrite(t *testing.T) { trustedIPs: []string{"10.10.10.10"}, insecure: false, expected: map[string]string{ - "X-Foo": "bar", - "X-Forwarded-For": "", + "X-Foo": "bar", + "X-Forwarded-For": "", + "X-Forwarded-Uri": "", + "X-Forwarded-Method": "", }, }, { @@ -43,8 +47,10 @@ func TestHeaderRewriter_Rewrite(t *testing.T) { trustedIPs: []string{"10.10.10.10"}, insecure: false, expected: map[string]string{ - "X-Foo": "bar", - "X-Forwarded-For": "", + "X-Foo": "bar", + "X-Forwarded-For": "", + "X-Forwarded-Uri": "", + "X-Forwarded-Method": "", }, }, { @@ -53,8 +59,10 @@ func TestHeaderRewriter_Rewrite(t *testing.T) { trustedIPs: []string{"10.10.10.10"}, insecure: true, expected: map[string]string{ - "X-Foo": "bar", - "X-Forwarded-For": "30.30.30.30", + "X-Foo": "bar", + "X-Forwarded-For": "30.30.30.30", + "X-Forwarded-Uri": "/bar", + "X-Forwarded-Method": "GET", }, }, { @@ -63,8 +71,10 @@ func TestHeaderRewriter_Rewrite(t *testing.T) { trustedIPs: []string{"10.10.10.10"}, insecure: true, expected: map[string]string{ - "X-Foo": "bar", - "X-Forwarded-For": "30.30.30.30", + "X-Foo": "bar", + "X-Forwarded-For": "30.30.30.30", + "X-Forwarded-Uri": "/bar", + "X-Forwarded-Method": "GET", }, }, { @@ -73,8 +83,10 @@ func TestHeaderRewriter_Rewrite(t *testing.T) { trustedIPs: []string{"10.10.10.10"}, insecure: true, expected: map[string]string{ - "X-Foo": "bar", - "X-Forwarded-For": "30.30.30.30", + "X-Foo": "bar", + "X-Forwarded-For": "30.30.30.30", + "X-Forwarded-Uri": "/bar", + "X-Forwarded-Method": "GET", }, }, } @@ -93,6 +105,8 @@ func TestHeaderRewriter_Rewrite(t *testing.T) { req.Header.Set("X-Foo", "bar") req.Header.Set("X-Forwarded-For", "30.30.30.30") + req.Header.Set("X-Forwarded-Uri", "/bar") + req.Header.Set("X-Forwarded-Method", "GET") rewriter.Rewrite(req)