projects / arvados.git / blobdiff
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
21137: Tighten TestEndSessionEndpointBadScheme check
[arvados.git] / lib / controller / proxy.go
diff --git a/lib/controller/proxy.go b/lib/controller/proxy.go
index 939868a17b94f132644e3459292290294514e84f..26d1859ec874341af736dc9cd0b9ef3ca4a936cf 100644 (file)
--- a/lib/controller/proxy.go
+++ b/lib/controller/proxy.go
@@ -42,6 +42,14 @@ var dropHeaders = map[string]bool{
        "Accept-Encoding":   true,
        "Content-Encoding":  true,
        "Transfer-Encoding": true,
+
+       // Content-Length depends on encoding.
+       "Content-Length": true,
+
+       // Defend against Rails vulnerability CVE-2023-22795 -
+       // we don't use this functionality anyway, so it costs us nothing.
+       // <https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118>
+       "If-None-Match": true,
 }
 
 type ResponseFilter func(*http.Response, error) (*http.Response, error)
@@ -60,10 +68,13 @@ func (p *proxy) Do(
                        hdrOut[k] = v
                }
        }
-       xff := reqIn.RemoteAddr
-       if xffIn := reqIn.Header.Get("X-Forwarded-For"); xffIn != "" {
-               xff = xffIn + "," + xff
+       xff := ""
+       for _, xffIn := range reqIn.Header["X-Forwarded-For"] {
+               if xffIn != "" {
+                       xff += xffIn + ","
+               }
        }
+       xff += reqIn.RemoteAddr
        hdrOut.Set("X-Forwarded-For", xff)
        if hdrOut.Get("X-Forwarded-Proto") == "" {
                hdrOut.Set("X-Forwarded-Proto", reqIn.URL.Scheme)
@@ -77,9 +88,7 @@ func (p *proxy) Do(
                Header: hdrOut,
                Body:   reqIn.Body,
        }).WithContext(reqIn.Context())
-
-       resp, err := client.Do(reqOut)
-       return resp, err
+       return client.Do(reqOut)
 }
 
 // Copy a response (or error) to the downstream client