fix(cloud-function): strip X-Forwarded-Host + Forwarded headers (#8894)

caugner · LeoMcA · web-flow · commit 74bab354a076 · 2023-05-19T19:28:19.000+02:00
`http-proxy` with `xfwd: true` only sets x-forwarded-{for,port,proto},
so the `X-Forwarded-Host` header stays in place, causing side-effects.

To be on the safe side, we also remove the `Forwarded` header, because
it may contain `host` directive, even though we don't currently use it.

Co-authored-by: Leo McArdle &lt;lmcardle@mozilla.com&gt;
diff --git a/cloud-function/src/app.ts b/cloud-function/src/app.ts
@@ -17,8 +17,10 @@ import { redirectLocale } from "./middlewares/redirect-locale.js";
 import { redirectTrailingSlash } from "./middlewares/redirect-trailing-slash.js";
 import { requireOrigin } from "./middlewares/require-origin.js";
 import { notFound } from "./middlewares/not-found.js";
+import { stripForwardedHostHeaders } from "./middlewares/stripForwardedHostHeaders.js";
 
 const router = Router();
+router.use(stripForwardedHostHeaders);
 router.use(redirectLeadingSlash);
 router.all(
   "/api/v1/stripe/plans",
diff --git a/cloud-function/src/middlewares/stripForwardedHostHeaders.ts b/cloud-function/src/middlewares/stripForwardedHostHeaders.ts
@@ -0,0 +1,15 @@
+import { NextFunction, Request, Response } from "express";
+
+// Don't strip other `X-Forwarded-*` headers.
+const HEADER_REGEXP = /^(x-forwarded-host|forwarded)$/i;
+
+export async function stripForwardedHostHeaders(
+  req: Request,
+  _res: Response,
+  next: NextFunction
+) {
+  Object.keys(req.headers)
+    .filter((name) => HEADER_REGEXP.test(name))
+    .forEach((name) => delete req.headers[name]);
+  next();
+}
