X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/e6617f0bff3521135bc63b229260fdfb7b9dc331..972b62e2bb581832cb7cfafce71e3cc6794e4361:/lib/controller/proxy.go

diff --git a/lib/controller/proxy.go b/lib/controller/proxy.go
index 9eac9362c9..26d1859ec8 100644
--- a/lib/controller/proxy.go
+++ b/lib/controller/proxy.go
@@ -9,7 +9,7 @@ import (
 	"net/http"
 	"net/url"
 
-	"git.curoverse.com/arvados.git/sdk/go/httpserver"
+	"git.arvados.org/arvados.git/sdk/go/httpserver"
 )
 
 type proxy struct {
@@ -42,6 +42,14 @@ var dropHeaders = map[string]bool{
 	"Accept-Encoding":   true,
 	"Content-Encoding":  true,
 	"Transfer-Encoding": true,
+
+	// Content-Length depends on encoding.
+	"Content-Length": true,
+
+	// Defend against Rails vulnerability CVE-2023-22795 -
+	// we don't use this functionality anyway, so it costs us nothing.
+	// <https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118>
+	"If-None-Match": true,
 }
 
 type ResponseFilter func(*http.Response, error) (*http.Response, error)
@@ -60,10 +68,13 @@ func (p *proxy) Do(
 			hdrOut[k] = v
 		}
 	}
-	xff := reqIn.RemoteAddr
-	if xffIn := reqIn.Header.Get("X-Forwarded-For"); xffIn != "" {
-		xff = xffIn + "," + xff
+	xff := ""
+	for _, xffIn := range reqIn.Header["X-Forwarded-For"] {
+		if xffIn != "" {
+			xff += xffIn + ","
+		}
 	}
+	xff += reqIn.RemoteAddr
 	hdrOut.Set("X-Forwarded-For", xff)
 	if hdrOut.Get("X-Forwarded-Proto") == "" {
 		hdrOut.Set("X-Forwarded-Proto", reqIn.URL.Scheme)
@@ -77,9 +88,7 @@ func (p *proxy) Do(
 		Header: hdrOut,
 		Body:   reqIn.Body,
 	}).WithContext(reqIn.Context())
-
-	resp, err := client.Do(reqOut)
-	return resp, err
+	return client.Do(reqOut)
 }
 
 // Copy a response (or error) to the downstream client