Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(cloud-function): strip X-Forwarded-Host + Forwarded headers #8894

Merged
merged 3 commits into from
May 19, 2023
Merged

fix(cloud-function): strip X-Forwarded-Host + Forwarded headers #8894

merged 3 commits into from
May 19, 2023

Conversation

caugner
Copy link
Contributor

@caugner caugner commented May 19, 2023
edited
Loading

Summary

(MP-427)

Problem

http-proxy with xfwd: true only sets x-forwarded-{for,port,proto} and doesn't override x-forwarded-host (see here), which may cause unwanted side-effects.

Solution

Remove x-forwarded-host header (plus forwarded, which may contain a host= directive) in our Cloud Function.

How did you test this change?

Ran npm start in cloud-function/ and verified that curl -H 'x-forwarded-host: bar http://localhost:5100/fr/?example does not forward the header.

@caugner
fix(cloud-function): strip x-forwarded-* headers
a807211 
`http-proxy` with `xfwd: true` only sets x-forwarded-{for,port,proto},
so other X-Forwarded headers would stay in place, causing side-effects.
@caugner caugner requested a review from LeoMcA May 19, 2023 10:30
@caugner caugner changed the title fix(cloud-function): strip x-forwarded-* headers fix(cloud-function): strip Forwarded headers May 19, 2023
LeoMcA
LeoMcA approved these changes May 19, 2023
View reviewed changes
Copy link
Member

@LeoMcA LeoMcA left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@fiji-flo
Copy link
Contributor

Stripping x-forwarded-for can have side effects. Do we need to strip it for this?

@LeoMcA
Copy link
Member

LeoMcA commented May 19, 2023

@fiji-flo as I understand it, http-proxy won't overwrite an existing x-forwarded-for header, which is why we strip it, then it adds the correct value back in

@caugner caugner changed the title fix(cloud-function): strip Forwarded headers fix(cloud-function): strip X-Forwarded-Host + Forwarded headers May 19, 2023
@mdn mdn deleted a comment from fiji-flo May 19, 2023
@caugner caugner force-pushed the strip-xfwd-headers branch from 0530ac9 to c169410 Compare May 19, 2023 13:57
@caugner caugner temporarily deployed to xyz May 19, 2023 14:02 — with GitHub Actions Inactive
LeoMcA
LeoMcA approved these changes May 19, 2023
View reviewed changes
Copy link
Member

@LeoMcA LeoMcA left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, let's put on staging to test it fixes the problem (without causing any others).

Edit: I see you've already kicked off an xyz build

as I understand it, http-proxy won't overwrite an existing x-forwarded-for header, which is why we strip it, then it adds the correct value back in

I misread, it does do the proper thing with x-forwarded-for.

@caugner caugner temporarily deployed to stage May 19, 2023 14:46 — with GitHub Actions Inactive
@caugner caugner merged commit 74bab35 into main May 19, 2023
@caugner caugner deleted the strip-xfwd-headers branch May 19, 2023 17:28
@github-actions github-actions bot mentioned this pull request May 19, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@LeoMcA LeoMcA LeoMcA approved these changes

Assignees
No one assigned
Labels
internal
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@caugner @fiji-flo @LeoMcA