projects / arvados.git / blobdiff
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
21137: Tighten TestEndSessionEndpointBadScheme check
[arvados.git] / lib / controller / proxy.go
diff --git a/lib/controller/proxy.go b/lib/controller/proxy.go
index c0b94c2b5f76d604e738c2d9bc43d3a01f8bf5dc..26d1859ec874341af736dc9cd0b9ef3ca4a936cf 100644 (file)
--- a/lib/controller/proxy.go
+++ b/lib/controller/proxy.go
@@ -9,7 +9,7 @@ import (
        "net/http"
        "net/url"
 
-       "git.curoverse.com/arvados.git/sdk/go/httpserver"
+       "git.arvados.org/arvados.git/sdk/go/httpserver"
 )
 
 type proxy struct {
@@ -25,20 +25,31 @@ func (h HTTPError) Error() string {
        return h.Message
 }
 
-// headers that shouldn't be forwarded when proxying. See
-// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers
 var dropHeaders = map[string]bool{
+       // Headers that shouldn't be forwarded when proxying. See
+       // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers
        "Connection":          true,
        "Keep-Alive":          true,
        "Proxy-Authenticate":  true,
        "Proxy-Authorization": true,
-       // this line makes gofmt 1.10 and 1.11 agree
-       "TE":                true,
-       "Trailer":           true,
-       "Transfer-Encoding": true, // *-Encoding headers interfer with Go's automatic compression/decompression
-       "Content-Encoding":  true,
+       // (comment/space here makes gofmt1.10 agree with gofmt1.11)
+       "TE":      true,
+       "Trailer": true,
+       "Upgrade": true,
+
+       // Headers that would interfere with Go's automatic
+       // compression/decompression if we forwarded them.
        "Accept-Encoding":   true,
-       "Upgrade":           true,
+       "Content-Encoding":  true,
+       "Transfer-Encoding": true,
+
+       // Content-Length depends on encoding.
+       "Content-Length": true,
+
+       // Defend against Rails vulnerability CVE-2023-22795 -
+       // we don't use this functionality anyway, so it costs us nothing.
+       // <https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118>
+       "If-None-Match": true,
 }
 
 type ResponseFilter func(*http.Response, error) (*http.Response, error)
@@ -57,10 +68,13 @@ func (p *proxy) Do(
                        hdrOut[k] = v
                }
        }
-       xff := reqIn.RemoteAddr
-       if xffIn := reqIn.Header.Get("X-Forwarded-For"); xffIn != "" {
-               xff = xffIn + "," + xff
+       xff := ""
+       for _, xffIn := range reqIn.Header["X-Forwarded-For"] {
+               if xffIn != "" {
+                       xff += xffIn + ","
+               }
        }
+       xff += reqIn.RemoteAddr
        hdrOut.Set("X-Forwarded-For", xff)
        if hdrOut.Get("X-Forwarded-Proto") == "" {
                hdrOut.Set("X-Forwarded-Proto", reqIn.URL.Scheme)
@@ -74,9 +88,7 @@ func (p *proxy) Do(
                Header: hdrOut,
                Body:   reqIn.Body,
        }).WithContext(reqIn.Context())
-
-       resp, err := client.Do(reqOut)
-       return resp, err
+       return client.Do(reqOut)
 }
 
 // Copy a response (or error) to the downstream client