Skip to content

[7.12] Forbid setting the Location and Refresh custom response headers (#98129) #98206

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
legrego merged 1 commit into from
Apr 23, 2021
Merged

[7.12] Forbid setting the Location and Refresh custom response headers (#98129) #98206

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 28 additions & 0 deletions src/core/server/http/http_config.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -252,6 +252,34 @@ test('accepts any type of objects for custom headers', () => {
expect(() => httpSchema.validate(obj)).not.toThrow();
});

test('forbids the "location" custom response header', () => {
const httpSchema = config.schema;
const obj = {
customResponseHeaders: {
location: 'string',
Location: 'string',
lOcAtIoN: 'string',
},
};
expect(() => httpSchema.validate(obj)).toThrowErrorMatchingInlineSnapshot(
`"[customResponseHeaders]: The following custom response headers are not allowed to be set: location, Location, lOcAtIoN"`
);
});

test('forbids the "refresh" custom response header', () => {
const httpSchema = config.schema;
const obj = {
customResponseHeaders: {
refresh: 'string',
Refresh: 'string',
rEfReSh: 'string',
},
};
expect(() => httpSchema.validate(obj)).toThrowErrorMatchingInlineSnapshot(
`"[customResponseHeaders]: The following custom response headers are not allowed to be set: refresh, Refresh, rEfReSh"`
);
});

describe('with TLS', () => {
test('throws if TLS is enabled but `redirectHttpFromPort` is equal to `port`', () => {
const httpSchema = config.schema;
Expand Down
13 changes: 13 additions & 0 deletions src/core/server/http/http_config.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,9 @@ const hostURISchema = schema.uri({ scheme: ['http', 'https'] });
const match = (regex: RegExp, errorMsg: string) => (str: string) =>
regex.test(str) ? undefined : errorMsg;

// The lower-case set of response headers which are forbidden within `customResponseHeaders`.
const RESPONSE_HEADER_DENY_LIST = ['location', 'refresh'];

// before update to make sure it's in sync with validation rules in Legacy
// https://github.com/elastic/kibana/blob/master/src/legacy/server/config/schema.js
export const config = {
Expand Down Expand Up @@ -58,6 +61,16 @@ export const config = {
),
customResponseHeaders: schema.recordOf(schema.string(), schema.any(), {
defaultValue: {},
validate(value) {
const forbiddenKeys = Object.keys(value).filter((headerName) =>
RESPONSE_HEADER_DENY_LIST.includes(headerName.toLowerCase())
);
if (forbiddenKeys.length > 0) {
return `The following custom response headers are not allowed to be set: ${forbiddenKeys.join(
', '
)}`;
}
},
}),
host: schema.string({
defaultValue: 'localhost',
Expand Down