Do not allow users to send internal extra credentials

core/trino-main/src/main/java/io/trino/server/HttpRequestSessionContextFactory.java

@@ -323,7 +323,11 @@ private static SelectedRole toSelectedRole(ProtocolHeaders protocolHeaders, Stri
 
     private static Map<String, String> parseExtraCredentials(ProtocolHeaders protocolHeaders, MultivaluedMap<String, String> headers)
     {
-        return parseProperty(headers, protocolHeaders.requestExtraCredential());
+        Map<String, String> credentials = parseProperty(headers, protocolHeaders.requestExtraCredential());
+        for (String name : credentials.keySet()) {
+            assertRequest(!name.startsWith("internal$"), "Invalid extra credential name: %s", name);
+        }
+        return credentials;
     }
 
     private static Map<String, String> parseProperty(MultivaluedMap<String, String> headers, String headerName)

core/trino-main/src/test/java/io/trino/server/TestHttpRequestSessionContextFactory.java

@@ -25,6 +25,7 @@
 import jakarta.ws.rs.WebApplicationException;
 import jakarta.ws.rs.core.MultivaluedHashMap;
 import jakarta.ws.rs.core.MultivaluedMap;
+import org.assertj.core.api.AbstractThrowableAssert;
 import org.junit.jupiter.api.Test;
 
 import java.util.Optional;
@@ -134,12 +135,7 @@ private static void assertMappedUser(ProtocolHeaders protocolHeaders)
                 Optional.of(Identity.ofUser("mappedUser")));
         assertThat(context.getIdentity()).isEqualTo(Identity.forUser("testUser").withGroups(ImmutableSet.of("testUser")).build());
 
-        assertThatThrownBy(
-                () -> sessionContextFactory(protocolHeaders).createSessionContext(
-                        emptyHeaders,
-                        Optional.of("testRemote"),
-                        Optional.empty()))
-                .isInstanceOf(WebApplicationException.class)
+        assertInvalidSession(protocolHeaders, emptyHeaders)
                 .matches(e -> ((WebApplicationException) e).getResponse().getStatus() == 400);
     }
 
@@ -164,15 +160,30 @@ private static void assertPreparedStatementsHeaderDoesNotParse(ProtocolHeaders p
                 .put(protocolHeaders.requestPreparedStatement(), "query1=abcdefg")
                 .build());
 
-        assertThatThrownBy(
-                () -> sessionContextFactory(protocolHeaders).createSessionContext(
-                        headers,
-                        Optional.of("testRemote"),
-                        Optional.empty()))
-                .isInstanceOf(WebApplicationException.class)
+        assertInvalidSession(protocolHeaders, headers)
                 .hasMessageMatching("Invalid " + protocolHeaders.requestPreparedStatement() + " header: line 1:1: mismatched input 'abcdefg'. Expecting: .*");
     }
 
+    @Test
+    public void testInternalExtraCredentialName()
+    {
+        MultivaluedMap<String, String> headers = new GuavaMultivaluedMap<>(ImmutableListMultimap.<String, String>builder()
+                .put(TRINO_HEADERS.requestUser(), "testUser")
+                .put(TRINO_HEADERS.requestExtraCredential(), "internal$abc=xyz")
+                .build());
+
+        assertInvalidSession(TRINO_HEADERS, headers)
+                .hasMessage("Invalid extra credential name: internal$abc");
+    }
+
+    private static AbstractThrowableAssert<?, ? extends Throwable> assertInvalidSession(ProtocolHeaders protocolHeaders, MultivaluedMap<String, String> headers)
+    {
+        return assertThatThrownBy(
+                () -> sessionContextFactory(protocolHeaders)
+                        .createSessionContext(headers, Optional.of("testRemote"), Optional.empty()))
+                .isInstanceOf(WebApplicationException.class);
+    }
+
     private static HttpRequestSessionContextFactory sessionContextFactory(ProtocolHeaders headers)
     {
         return new HttpRequestSessionContextFactory(