From cc4258bf9d935fdcebb98c8d9ae9223db242e81f Mon Sep 17 00:00:00 2001 From: stffabi Date: Mon, 8 Jul 2019 17:56:04 +0200 Subject: [PATCH] Remove X-Forwarded-(Uri, Method, Tls-Client-Cert and Tls-Client-Cert-Info) from untrusted IP --- .../forwardedheaders/forwarded_header.go | 24 +++-- .../forwardedheaders/forwarded_header_test.go | 90 +++++++++++++++---- 2 files changed, 87 insertions(+), 27 deletions(-) diff --git a/pkg/middlewares/forwardedheaders/forwarded_header.go b/pkg/middlewares/forwardedheaders/forwarded_header.go index 74bdc3941..09f350353 100644 --- a/pkg/middlewares/forwardedheaders/forwarded_header.go +++ b/pkg/middlewares/forwardedheaders/forwarded_header.go @@ -10,14 +10,18 @@ import ( ) const ( - xForwardedProto = "X-Forwarded-Proto" - xForwardedFor = "X-Forwarded-For" - xForwardedHost = "X-Forwarded-Host" - xForwardedPort = "X-Forwarded-Port" - xForwardedServer = "X-Forwarded-Server" - xRealIP = "X-Real-Ip" - connection = "Connection" - upgrade = "Upgrade" + xForwardedProto = "X-Forwarded-Proto" + xForwardedFor = "X-Forwarded-For" + xForwardedHost = "X-Forwarded-Host" + xForwardedPort = "X-Forwarded-Port" + xForwardedServer = "X-Forwarded-Server" + xForwardedURI = "X-Forwarded-Uri" + xForwardedMethod = "X-Forwarded-Method" + xForwardedTLSClientCert = "X-Forwarded-Tls-Client-Cert" + xForwardedTLSClientCertInfo = "X-Forwarded-Tls-Client-Cert-Info" + xRealIP = "X-Real-Ip" + connection = "Connection" + upgrade = "Upgrade" ) var xHeaders = []string{ @@ -26,6 +30,10 @@ var xHeaders = []string{ xForwardedHost, xForwardedPort, xForwardedServer, + xForwardedURI, + xForwardedMethod, + xForwardedTLSClientCert, + xForwardedTLSClientCertInfo, xRealIP, } diff --git a/pkg/middlewares/forwardedheaders/forwarded_header_test.go b/pkg/middlewares/forwardedheaders/forwarded_header_test.go index dbcf04b41..0db1f638a 100644 --- a/pkg/middlewares/forwardedheaders/forwarded_header_test.go +++ b/pkg/middlewares/forwardedheaders/forwarded_header_test.go @@ -28,79 +28,131 @@ func TestServeHTTP(t *testing.T) { remoteAddr: "", incomingHeaders: map[string]string{}, expectedHeaders: map[string]string{ - "X-Forwarded-for": "", + "X-Forwarded-for": "", + "X-Forwarded-Uri": "", + "X-Forwarded-Method": "", + "X-Forwarded-Tls-Client-Cert": "", + "X-Forwarded-Tls-Client-Cert-Info": "", }, }, { - desc: "insecure true with incoming X-Forwarded-For", + desc: "insecure true with incoming X-Forwarded headers", insecure: true, trustedIps: nil, remoteAddr: "", incomingHeaders: map[string]string{ - "X-Forwarded-for": "10.0.1.0, 10.0.1.12", + "X-Forwarded-for": "10.0.1.0, 10.0.1.12", + "X-Forwarded-Uri": "/bar", + "X-Forwarded-Method": "GET", + "X-Forwarded-Tls-Client-Cert": "Cert", + "X-Forwarded-Tls-Client-Cert-Info": "CertInfo", }, expectedHeaders: map[string]string{ - "X-Forwarded-for": "10.0.1.0, 10.0.1.12", + "X-Forwarded-for": "10.0.1.0, 10.0.1.12", + "X-Forwarded-Uri": "/bar", + "X-Forwarded-Method": "GET", + "X-Forwarded-Tls-Client-Cert": "Cert", + "X-Forwarded-Tls-Client-Cert-Info": "CertInfo", }, }, { - desc: "insecure false with incoming X-Forwarded-For", + desc: "insecure false with incoming X-Forwarded headers", insecure: false, trustedIps: nil, remoteAddr: "", incomingHeaders: map[string]string{ - "X-Forwarded-for": "10.0.1.0, 10.0.1.12", + "X-Forwarded-for": "10.0.1.0, 10.0.1.12", + "X-Forwarded-Uri": "/bar", + "X-Forwarded-Method": "GET", + "X-Forwarded-Tls-Client-Cert": "Cert", + "X-Forwarded-Tls-Client-Cert-Info": "CertInfo", }, expectedHeaders: map[string]string{ - "X-Forwarded-for": "", + "X-Forwarded-for": "", + "X-Forwarded-Uri": "", + "X-Forwarded-Method": "", + "X-Forwarded-Tls-Client-Cert": "", + "X-Forwarded-Tls-Client-Cert-Info": "", }, }, { - desc: "insecure false with incoming X-Forwarded-For and valid Trusted Ips", + desc: "insecure false with incoming X-Forwarded headers and valid Trusted Ips", insecure: false, trustedIps: []string{"10.0.1.100"}, remoteAddr: "10.0.1.100:80", incomingHeaders: map[string]string{ - "X-Forwarded-for": "10.0.1.0, 10.0.1.12", + "X-Forwarded-for": "10.0.1.0, 10.0.1.12", + "X-Forwarded-Uri": "/bar", + "X-Forwarded-Method": "GET", + "X-Forwarded-Tls-Client-Cert": "Cert", + "X-Forwarded-Tls-Client-Cert-Info": "CertInfo", }, expectedHeaders: map[string]string{ - "X-Forwarded-for": "10.0.1.0, 10.0.1.12", + "X-Forwarded-for": "10.0.1.0, 10.0.1.12", + "X-Forwarded-Uri": "/bar", + "X-Forwarded-Method": "GET", + "X-Forwarded-Tls-Client-Cert": "Cert", + "X-Forwarded-Tls-Client-Cert-Info": "CertInfo", }, }, { - desc: "insecure false with incoming X-Forwarded-For and invalid Trusted Ips", + desc: "insecure false with incoming X-Forwarded headers and invalid Trusted Ips", insecure: false, trustedIps: []string{"10.0.1.100"}, remoteAddr: "10.0.1.101:80", incomingHeaders: map[string]string{ - "X-Forwarded-for": "10.0.1.0, 10.0.1.12", + "X-Forwarded-for": "10.0.1.0, 10.0.1.12", + "X-Forwarded-Uri": "/bar", + "X-Forwarded-Method": "GET", + "X-Forwarded-Tls-Client-Cert": "Cert", + "X-Forwarded-Tls-Client-Cert-Info": "CertInfo", }, expectedHeaders: map[string]string{ - "X-Forwarded-for": "", + "X-Forwarded-for": "", + "X-Forwarded-Uri": "", + "X-Forwarded-Method": "", + "X-Forwarded-Tls-Client-Cert": "", + "X-Forwarded-Tls-Client-Cert-Info": "", }, }, { - desc: "insecure false with incoming X-Forwarded-For and valid Trusted Ips CIDR", + desc: "insecure false with incoming X-Forwarded headers and valid Trusted Ips CIDR", insecure: false, trustedIps: []string{"1.2.3.4/24"}, remoteAddr: "1.2.3.156:80", incomingHeaders: map[string]string{ - "X-Forwarded-for": "10.0.1.0, 10.0.1.12", + "X-Forwarded-for": "10.0.1.0, 10.0.1.12", + "X-Forwarded-Uri": "/bar", + "X-Forwarded-Method": "GET", + "X-Forwarded-Tls-Client-Cert": "Cert", + "X-Forwarded-Tls-Client-Cert-Info": "CertInfo", }, expectedHeaders: map[string]string{ - "X-Forwarded-for": "10.0.1.0, 10.0.1.12", + "X-Forwarded-for": "10.0.1.0, 10.0.1.12", + "X-Forwarded-Uri": "/bar", + "X-Forwarded-Method": "GET", + "X-Forwarded-Tls-Client-Cert": "Cert", + "X-Forwarded-Tls-Client-Cert-Info": "CertInfo", }, }, { - desc: "insecure false with incoming X-Forwarded-For and invalid Trusted Ips CIDR", + desc: "insecure false with incoming X-Forwarded headers and invalid Trusted Ips CIDR", insecure: false, trustedIps: []string{"1.2.3.4/24"}, remoteAddr: "10.0.1.101:80", incomingHeaders: map[string]string{ - "X-Forwarded-for": "10.0.1.0, 10.0.1.12", + "X-Forwarded-for": "10.0.1.0, 10.0.1.12", + "X-Forwarded-Uri": "/bar", + "X-Forwarded-Method": "GET", + "X-Forwarded-Tls-Client-Cert": "Cert", + "X-Forwarded-Tls-Client-Cert-Info": "CertInfo", }, expectedHeaders: map[string]string{ - "X-Forwarded-for": "", + "X-Forwarded-for": "", + "X-Forwarded-Uri": "", + "X-Forwarded-Method": "", + "X-Forwarded-Tls-Client-Cert": "", + "X-Forwarded-Tls-Client-Cert-Info": "", }, }, {