fix: use last tenant header value to prevent ext_authz header injection#87
Conversation
There was a problem hiding this comment.
Pull request overview
This PR hardens the API server request middleware against tenant header injection when Envoy ext_authz appends (rather than overwrites) tenant headers, and adds focused unit tests around tenant extraction, request ID behavior, and skip-path handling.
Changes:
- Update tenant ID extraction to prefer the last value when multiple tenant header values are present.
- Add unit tests covering tenant header extraction scenarios (including multi-value), request ID propagation/generation, and skipping middleware for metrics/health endpoints.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| internal/apiserver/middleware/request_middleware.go | Adjusts tenant header extraction logic to use the last header value to mitigate spoofing via header appends. |
| internal/apiserver/middleware/request_middleware_test.go | Adds unit tests for tenant extraction, request ID behavior, and metrics/health skip-path behavior. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
pierDipi
force-pushed
the
fix/tenant-header-last-value-workaround
branch
from
41d9df9 to
01f4d2f
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
The external auth service may append response headers instead of overwriting them. A client can send a spoofed tenant header which gets concatenated with the auth-injected value. This takes the last value from multi-value tenant headers, which is always the trusted auth-injected one per Envoy ext_authz ordering guarantees. Adds tests for tenant header extraction including the multi-value workaround, request ID handling, and metrics/health path skipping. Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com>
pierDipi
force-pushed
the
fix/tenant-header-last-value-workaround
branch
from
01f4d2f to
bd3fa76
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
|
@yizhaodev can we merge? |
|
@pierDipi merged, thanks |
The external auth service may append response headers instead of overwriting them. A client can send a spoofed tenant header which gets concatenated with the auth-injected value. This takes the last value from multi-value tenant headers, which is always the trusted auth-injected one per Envoy ext_authz ordering guarantees.
Adds tests for tenant header extraction including the multi-value workaround, request ID handling, and metrics/health path skipping.