Remove X-Forwarded-(Uri, Method, Tls-Client-Cert and Tls-Client-Cert-Info) from untrusted IP
This commit is contained in:
stffabi
Traefiker Bot
parent
0ee5d3d83f
commit
cc4258bf9d
2 changed files with 87 additions and 27 deletions
|
|
@ -10,14 +10,18 @@ import (
|
|||
)
|
||||
|
||||
const (
|
||||
xForwardedProto = "X-Forwarded-Proto"
|
||||
xForwardedFor = "X-Forwarded-For"
|
||||
xForwardedHost = "X-Forwarded-Host"
|
||||
xForwardedPort = "X-Forwarded-Port"
|
||||
xForwardedServer = "X-Forwarded-Server"
|
||||
xRealIP = "X-Real-Ip"
|
||||
connection = "Connection"
|
||||
upgrade = "Upgrade"
|
||||
xForwardedProto = "X-Forwarded-Proto"
|
||||
xForwardedFor = "X-Forwarded-For"
|
||||
xForwardedHost = "X-Forwarded-Host"
|
||||
xForwardedPort = "X-Forwarded-Port"
|
||||
xForwardedServer = "X-Forwarded-Server"
|
||||
xForwardedURI = "X-Forwarded-Uri"
|
||||
xForwardedMethod = "X-Forwarded-Method"
|
||||
xForwardedTLSClientCert = "X-Forwarded-Tls-Client-Cert"
|
||||
xForwardedTLSClientCertInfo = "X-Forwarded-Tls-Client-Cert-Info"
|
||||
xRealIP = "X-Real-Ip"
|
||||
connection = "Connection"
|
||||
upgrade = "Upgrade"
|
||||
)
|
||||
|
||||
var xHeaders = []string{
|
||||
|
|
@ -26,6 +30,10 @@ var xHeaders = []string{
|
|||
xForwardedHost,
|
||||
xForwardedPort,
|
||||
xForwardedServer,
|
||||
xForwardedURI,
|
||||
xForwardedMethod,
|
||||
xForwardedTLSClientCert,
|
||||
xForwardedTLSClientCertInfo,
|
||||
xRealIP,
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -28,79 +28,131 @@ func TestServeHTTP(t *testing.T) {
|
|||
remoteAddr: "",
|
||||
incomingHeaders: map[string]string{},
|
||||
expectedHeaders: map[string]string{
|
||||
"X-Forwarded-for": "",
|
||||
"X-Forwarded-for": "",
|
||||
"X-Forwarded-Uri": "",
|
||||
"X-Forwarded-Method": "",
|
||||
"X-Forwarded-Tls-Client-Cert": "",
|
||||
"X-Forwarded-Tls-Client-Cert-Info": "",
|
||||
},
|
||||
},
|
||||
{
|
||||
desc: "insecure true with incoming X-Forwarded-For",
|
||||
desc: "insecure true with incoming X-Forwarded headers",
|
||||
insecure: true,
|
||||
trustedIps: nil,
|
||||
remoteAddr: "",
|
||||
incomingHeaders: map[string]string{
|
||||
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
|
||||
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
|
||||
"X-Forwarded-Uri": "/bar",
|
||||
"X-Forwarded-Method": "GET",
|
||||
"X-Forwarded-Tls-Client-Cert": "Cert",
|
||||
"X-Forwarded-Tls-Client-Cert-Info": "CertInfo",
|
||||
},
|
||||
expectedHeaders: map[string]string{
|
||||
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
|
||||
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
|
||||
"X-Forwarded-Uri": "/bar",
|
||||
"X-Forwarded-Method": "GET",
|
||||
"X-Forwarded-Tls-Client-Cert": "Cert",
|
||||
"X-Forwarded-Tls-Client-Cert-Info": "CertInfo",
|
||||
},
|
||||
},
|
||||
{
|
||||
desc: "insecure false with incoming X-Forwarded-For",
|
||||
desc: "insecure false with incoming X-Forwarded headers",
|
||||
insecure: false,
|
||||
trustedIps: nil,
|
||||
remoteAddr: "",
|
||||
incomingHeaders: map[string]string{
|
||||
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
|
||||
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
|
||||
"X-Forwarded-Uri": "/bar",
|
||||
"X-Forwarded-Method": "GET",
|
||||
"X-Forwarded-Tls-Client-Cert": "Cert",
|
||||
"X-Forwarded-Tls-Client-Cert-Info": "CertInfo",
|
||||
},
|
||||
expectedHeaders: map[string]string{
|
||||
"X-Forwarded-for": "",
|
||||
"X-Forwarded-for": "",
|
||||
"X-Forwarded-Uri": "",
|
||||
"X-Forwarded-Method": "",
|
||||
"X-Forwarded-Tls-Client-Cert": "",
|
||||
"X-Forwarded-Tls-Client-Cert-Info": "",
|
||||
},
|
||||
},
|
||||
{
|
||||
desc: "insecure false with incoming X-Forwarded-For and valid Trusted Ips",
|
||||
desc: "insecure false with incoming X-Forwarded headers and valid Trusted Ips",
|
||||
insecure: false,
|
||||
trustedIps: []string{"10.0.1.100"},
|
||||
remoteAddr: "10.0.1.100:80",
|
||||
incomingHeaders: map[string]string{
|
||||
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
|
||||
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
|
||||
"X-Forwarded-Uri": "/bar",
|
||||
"X-Forwarded-Method": "GET",
|
||||
"X-Forwarded-Tls-Client-Cert": "Cert",
|
||||
"X-Forwarded-Tls-Client-Cert-Info": "CertInfo",
|
||||
},
|
||||
expectedHeaders: map[string]string{
|
||||
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
|
||||
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
|
||||
"X-Forwarded-Uri": "/bar",
|
||||
"X-Forwarded-Method": "GET",
|
||||
"X-Forwarded-Tls-Client-Cert": "Cert",
|
||||
"X-Forwarded-Tls-Client-Cert-Info": "CertInfo",
|
||||
},
|
||||
},
|
||||
{
|
||||
desc: "insecure false with incoming X-Forwarded-For and invalid Trusted Ips",
|
||||
desc: "insecure false with incoming X-Forwarded headers and invalid Trusted Ips",
|
||||
insecure: false,
|
||||
trustedIps: []string{"10.0.1.100"},
|
||||
remoteAddr: "10.0.1.101:80",
|
||||
incomingHeaders: map[string]string{
|
||||
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
|
||||
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
|
||||
"X-Forwarded-Uri": "/bar",
|
||||
"X-Forwarded-Method": "GET",
|
||||
"X-Forwarded-Tls-Client-Cert": "Cert",
|
||||
"X-Forwarded-Tls-Client-Cert-Info": "CertInfo",
|
||||
},
|
||||
expectedHeaders: map[string]string{
|
||||
"X-Forwarded-for": "",
|
||||
"X-Forwarded-for": "",
|
||||
"X-Forwarded-Uri": "",
|
||||
"X-Forwarded-Method": "",
|
||||
"X-Forwarded-Tls-Client-Cert": "",
|
||||
"X-Forwarded-Tls-Client-Cert-Info": "",
|
||||
},
|
||||
},
|
||||
{
|
||||
desc: "insecure false with incoming X-Forwarded-For and valid Trusted Ips CIDR",
|
||||
desc: "insecure false with incoming X-Forwarded headers and valid Trusted Ips CIDR",
|
||||
insecure: false,
|
||||
trustedIps: []string{"1.2.3.4/24"},
|
||||
remoteAddr: "1.2.3.156:80",
|
||||
incomingHeaders: map[string]string{
|
||||
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
|
||||
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
|
||||
"X-Forwarded-Uri": "/bar",
|
||||
"X-Forwarded-Method": "GET",
|
||||
"X-Forwarded-Tls-Client-Cert": "Cert",
|
||||
"X-Forwarded-Tls-Client-Cert-Info": "CertInfo",
|
||||
},
|
||||
expectedHeaders: map[string]string{
|
||||
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
|
||||
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
|
||||
"X-Forwarded-Uri": "/bar",
|
||||
"X-Forwarded-Method": "GET",
|
||||
"X-Forwarded-Tls-Client-Cert": "Cert",
|
||||
"X-Forwarded-Tls-Client-Cert-Info": "CertInfo",
|
||||
},
|
||||
},
|
||||
{
|
||||
desc: "insecure false with incoming X-Forwarded-For and invalid Trusted Ips CIDR",
|
||||
desc: "insecure false with incoming X-Forwarded headers and invalid Trusted Ips CIDR",
|
||||
insecure: false,
|
||||
trustedIps: []string{"1.2.3.4/24"},
|
||||
remoteAddr: "10.0.1.101:80",
|
||||
incomingHeaders: map[string]string{
|
||||
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
|
||||
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
|
||||
"X-Forwarded-Uri": "/bar",
|
||||
"X-Forwarded-Method": "GET",
|
||||
"X-Forwarded-Tls-Client-Cert": "Cert",
|
||||
"X-Forwarded-Tls-Client-Cert-Info": "CertInfo",
|
||||
},
|
||||
expectedHeaders: map[string]string{
|
||||
"X-Forwarded-for": "",
|
||||
"X-Forwarded-for": "",
|
||||
"X-Forwarded-Uri": "",
|
||||
"X-Forwarded-Method": "",
|
||||
"X-Forwarded-Tls-Client-Cert": "",
|
||||
"X-Forwarded-Tls-Client-Cert-Info": "",
|
||||
},
|
||||
},
|
||||
{
|
||||
|
|
|
|||
Loading…
Reference in a new issue