Drop untrusted X-Forwarded-Prefix header

Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>
2024-11-08 12:12:35 +01:00 · 2024-11-08 12:12:35 +01:00 · 2096fd7081
commit 2096fd7081
parent 6f18344c56
4 changed files with 31 additions and 65 deletions
--- a/pkg/api/dashboard/dashboard_test.go
+++ b/pkg/api/dashboard/dashboard_test.go
@ -10,53 +10,8 @@ import (
 	"time"

 	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
 )

-func Test_safePrefix(t *testing.T) {
-	testCases := []struct {
-		desc     string
-		value    string
-		expected string
-	}{
-		{
-			desc:     "host",
-			value:    "https://example.com",
-			expected: "",
-		},
-		{
-			desc:     "host with path",
-			value:    "https://example.com/foo/bar?test",
-			expected: "",
-		},
-		{
-			desc:     "path",
-			value:    "/foo/bar",
-			expected: "/foo/bar",
-		},
-		{
-			desc:     "path without leading slash",
-			value:    "foo/bar",
-			expected: "foo/bar",
-		},
-	}
-
-	for _, test := range testCases {
-		t.Run(test.desc, func(t *testing.T) {
-			t.Parallel()
-
-			req, err := http.NewRequest(http.MethodGet, "http://localhost", nil)
-			require.NoError(t, err)
-
-			req.Header.Set("X-Forwarded-Prefix", test.value)
-
-			prefix := safePrefix(req)
-
-			assert.Equal(t, test.expected, prefix)
-		})
-	}
-}
-
 func Test_ContentSecurityPolicy(t *testing.T) {
 	testCases := []struct {
 		desc     string