Skip to content

feat(elbv2): add dropInvalidHeaderFields for elbv2 #22466

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 19, 2022
Merged

feat(elbv2): add dropInvalidHeaderFields for elbv2 #22466

merged 2 commits into from
Oct 19, 2022

Conversation

@clueleaf
Copy link
Contributor

@clueleaf clueleaf commented Oct 12, 2022

Dropping invalid HTTP headers is recommended and also appears in Security Hub controls as ELB.4

Attribute document:
https://docs.aws.amazon.com/elasticloadbalancing/latest/APIReference/API_LoadBalancerAttribute.html

All Submissions:

Adding new Unconventional Dependencies:

  • This PR adds new unconventional dependencies following the process described here

New Features

  • Have you added the new feature to an integration test?
    • Did you use yarn integ to deploy the infrastructure and generate the snapshot (i.e. yarn integ without --dry-run)?

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@gitpod-io
Copy link

gitpod-io bot commented Oct 12, 2022

@aws-cdk-automation aws-cdk-automation requested a review from a team October 12, 2022 09:08
@github-actions github-actions bot added p2 beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK labels Oct 12, 2022
aws-cdk-automation
aws-cdk-automation previously requested changes Oct 12, 2022
View reviewed changes
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

@clueleaf
Copy link
Contributor Author

clueleaf commented Oct 12, 2022

I did not make changes to README and integ test because other attributes (such as http2Enabled and idleTimeout) are not documented and tested as well. If it is required, I am willing to do so.

@corymhall corymhall added pr-linter/exempt-readme The PR linter will not require README changes pr-linter/exempt-integ-test The PR linter will not require integ test changes labels Oct 18, 2022
@corymhall corymhall added the pr/do-not-merge This PR should not be merged at this time. label Oct 18, 2022
@aws-cdk-automation aws-cdk-automation dismissed their stale review October 18, 2022 18:09

✅ Updated pull request passes all PRLinter validations. Dissmissing previous PRLinter review.

corymhall
corymhall suggested changes Oct 18, 2022
View reviewed changes
packages/@aws-cdk/aws-elasticloadbalancingv2/lib/alb/application-load-balancer.ts

if (props.http2Enabled === false) { this.setAttribute('routing.http2.enabled', 'false'); }
if (props.idleTimeout !== undefined) { this.setAttribute('idle_timeout.timeout_seconds', props.idleTimeout.toSeconds().toString()); }
if (props.dropInvalidHeaderFields) {this.setAttribute('routing.http.drop_invalid_header_fields.enabled', 'true'); }
Copy link
Contributor

@corymhall corymhall Oct 18, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually, before merging this I wonder if we could set true as the default. Do you know of any downsides to setting this to true by default?

Copy link
Contributor Author

@clueleaf clueleaf Oct 18, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think there are any downsides if you are deploying a new application and still flexible about your custom header fields. However, since existing applications will also get affected, I think it is safe to leave the default to false.

For example, header names with underscores are dropped if this attribute is set to true.
https://stackoverflow.com/questions/58848623/what-does-alb-consider-a-valid-header-field

@clueleaf clueleaf requested a review from corymhall October 18, 2022 23:28
@corymhall corymhall removed the pr/do-not-merge This PR should not be merged at this time. label Oct 19, 2022
@mergify
Copy link
Contributor

mergify bot commented Oct 19, 2022

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation
Copy link
Collaborator

aws-cdk-automation commented Oct 19, 2022

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: 993a8fc
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify mergify bot merged commit 91767f0 into aws:main Oct 19, 2022
@mergify
Copy link
Contributor

mergify bot commented Oct 19, 2022

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@clueleaf clueleaf deleted the feat/alb_drop_invalid_header branch October 20, 2022 03:25
@clueleaf clueleaf mentioned this pull request Oct 20, 2022
Closed
2 tasks
madeline-k pushed a commit that referenced this pull request Oct 21, 2022
@clueleaf @madeline-k
feat(elbv2): add dropInvalidHeaderFields for elbv2 (#22466)
7fcca40 
Dropping invalid HTTP headers is recommended and also appears in Security Hub controls as [ELB.4](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-elb-4)

Attribute document: 
https://docs.aws.amazon.com/elasticloadbalancing/latest/APIReference/API_LoadBalancerAttribute.html

----

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
mrgrain pushed a commit to mrgrain/aws-cdk that referenced this pull request Oct 24, 2022
@clueleaf @mrgrain
feat(elbv2): add dropInvalidHeaderFields for elbv2 (aws#22466)
0a128f1 
Dropping invalid HTTP headers is recommended and also appears in Security Hub controls as [ELB.4](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-elb-4)

Attribute document: 
https://docs.aws.amazon.com/elasticloadbalancing/latest/APIReference/API_LoadBalancerAttribute.html

----

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aws-cdk-automation aws-cdk-automation aws-cdk-automation left review comments

+1 more reviewer

@corymhall corymhall corymhall approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK p2 pr-linter/exempt-integ-test The PR linter will not require integ test changes pr-linter/exempt-readme The PR linter will not require README changes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@clueleaf @aws-cdk-automation @corymhall