fix: use last header value for pass-through headers to prevent spoofing#92
Conversation
|
/cc @yizhaodev @lioraron |
There was a problem hiding this comment.
Pull request overview
This PR hardens pass-through header handling in the batch API by ensuring that when a header has multiple values (e.g., a spoofed client value plus an Envoy ext_authz-injected value), the handler stores the last value so the trusted auth-injected value takes precedence.
Changes:
- Update batch creation to read configured pass-through headers via
r.Header.Values()and select the last value. - Add unit tests covering single-value, multi-value last-wins, missing header, and multiple configured headers.
- Refactor test setup helper to allow injecting a custom
ServerConfigper test.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| internal/apiserver/batch/batch_handler.go | Switch pass-through header extraction from first-value semantics to last-value semantics to prevent spoofing. |
| internal/apiserver/batch/batch_handler_test.go | Add targeted tests validating correct tag persistence for pass-through headers, including multi-value last-wins behavior. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
Switch from Header.Get (first value) to Header.Values with last-entry selection so that Envoy ext_authz-injected headers take precedence over client-supplied ones. Add tests covering single value, multi-value last-wins, absent header, and multiple configured headers. Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com>
pierDipi
force-pushed
the
fix/passthrough-header-last-value
branch
from
5e992b7 to
f23b590
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
Signed-off-by: Pierangelo Di Pilato <pierangelodipilato@gmail.com>
|
@yizhaodev can we merge? |
|
@pierDipi thanks, merged |
Switch from Header.Get (first value) to Header.Values with last-entry selection so that Envoy ext_authz-injected headers take precedence over client-supplied ones. Add tests covering single value, multi-value last-wins, absent header, and multiple configured headers.
Similar to #87