21137: Tighten TestEndSessionEndpointBadScheme check

[arvados.git] / lib / controller / proxy.go

diff --git a/lib/controller/proxy.go b/lib/controller/proxy.go
index 13dfcac16abb0bb27c7b1f3d50d024436453f97c..26d1859ec874341af736dc9cd0b9ef3ca4a936cf 100644 (file)
--- a/lib/controller/proxy.go
+++ b/lib/controller/proxy.go
@@ -45,6 +45,11 @@ var dropHeaders = map[string]bool{
 
        // Content-Length depends on encoding.
        "Content-Length": true,
+
+       // Defend against Rails vulnerability CVE-2023-22795 -
+       // we don't use this functionality anyway, so it costs us nothing.
+       // <https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118>
+       "If-None-Match": true,
 }
 
 type ResponseFilter func(*http.Response, error) (*http.Response, error)
@@ -63,10 +68,13 @@ func (p *proxy) Do(
                        hdrOut[k] = v
                }
        }
-       xff := reqIn.RemoteAddr
-       if xffIn := reqIn.Header.Get("X-Forwarded-For"); xffIn != "" {
-               xff = xffIn + "," + xff
+       xff := ""
+       for _, xffIn := range reqIn.Header["X-Forwarded-For"] {
+               if xffIn != "" {
+                       xff += xffIn + ","
+               }
        }
+       xff += reqIn.RemoteAddr
        hdrOut.Set("X-Forwarded-For", xff)
        if hdrOut.Get("X-Forwarded-Proto") == "" {
                hdrOut.Set("X-Forwarded-Proto", reqIn.URL.Scheme)