Remove X-Forwarded-(Uri, Method, Tls-Client-Cert and Tls-Client-Cert-Info) from untrusted IP
This commit is contained in:
stffabi
Traefiker Bot
parent
0ee5d3d83f
commit
cc4258bf9d
2 changed files with 87 additions and 27 deletions
|
|
@ -15,6 +15,10 @@ const (
|
||||||
xForwardedHost = "X-Forwarded-Host"
|
xForwardedHost = "X-Forwarded-Host"
|
||||||
xForwardedPort = "X-Forwarded-Port"
|
xForwardedPort = "X-Forwarded-Port"
|
||||||
xForwardedServer = "X-Forwarded-Server"
|
xForwardedServer = "X-Forwarded-Server"
|
||||||
|
xForwardedURI = "X-Forwarded-Uri"
|
||||||
|
xForwardedMethod = "X-Forwarded-Method"
|
||||||
|
xForwardedTLSClientCert = "X-Forwarded-Tls-Client-Cert"
|
||||||
|
xForwardedTLSClientCertInfo = "X-Forwarded-Tls-Client-Cert-Info"
|
||||||
xRealIP = "X-Real-Ip"
|
xRealIP = "X-Real-Ip"
|
||||||
connection = "Connection"
|
connection = "Connection"
|
||||||
upgrade = "Upgrade"
|
upgrade = "Upgrade"
|
||||||
|
|
@ -26,6 +30,10 @@ var xHeaders = []string{
|
||||||
xForwardedHost,
|
xForwardedHost,
|
||||||
xForwardedPort,
|
xForwardedPort,
|
||||||
xForwardedServer,
|
xForwardedServer,
|
||||||
|
xForwardedURI,
|
||||||
|
xForwardedMethod,
|
||||||
|
xForwardedTLSClientCert,
|
||||||
|
xForwardedTLSClientCertInfo,
|
||||||
xRealIP,
|
xRealIP,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -29,78 +29,130 @@ func TestServeHTTP(t *testing.T) {
|
||||||
incomingHeaders: map[string]string{},
|
incomingHeaders: map[string]string{},
|
||||||
expectedHeaders: map[string]string{
|
expectedHeaders: map[string]string{
|
||||||
"X-Forwarded-for": "",
|
"X-Forwarded-for": "",
|
||||||
|
"X-Forwarded-Uri": "",
|
||||||
|
"X-Forwarded-Method": "",
|
||||||
|
"X-Forwarded-Tls-Client-Cert": "",
|
||||||
|
"X-Forwarded-Tls-Client-Cert-Info": "",
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
desc: "insecure true with incoming X-Forwarded-For",
|
desc: "insecure true with incoming X-Forwarded headers",
|
||||||
insecure: true,
|
insecure: true,
|
||||||
trustedIps: nil,
|
trustedIps: nil,
|
||||||
remoteAddr: "",
|
remoteAddr: "",
|
||||||
incomingHeaders: map[string]string{
|
incomingHeaders: map[string]string{
|
||||||
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
|
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
|
||||||
|
"X-Forwarded-Uri": "/bar",
|
||||||
|
"X-Forwarded-Method": "GET",
|
||||||
|
"X-Forwarded-Tls-Client-Cert": "Cert",
|
||||||
|
"X-Forwarded-Tls-Client-Cert-Info": "CertInfo",
|
||||||
},
|
},
|
||||||
expectedHeaders: map[string]string{
|
expectedHeaders: map[string]string{
|
||||||
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
|
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
|
||||||
|
"X-Forwarded-Uri": "/bar",
|
||||||
|
"X-Forwarded-Method": "GET",
|
||||||
|
"X-Forwarded-Tls-Client-Cert": "Cert",
|
||||||
|
"X-Forwarded-Tls-Client-Cert-Info": "CertInfo",
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
desc: "insecure false with incoming X-Forwarded-For",
|
desc: "insecure false with incoming X-Forwarded headers",
|
||||||
insecure: false,
|
insecure: false,
|
||||||
trustedIps: nil,
|
trustedIps: nil,
|
||||||
remoteAddr: "",
|
remoteAddr: "",
|
||||||
incomingHeaders: map[string]string{
|
incomingHeaders: map[string]string{
|
||||||
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
|
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
|
||||||
|
"X-Forwarded-Uri": "/bar",
|
||||||
|
"X-Forwarded-Method": "GET",
|
||||||
|
"X-Forwarded-Tls-Client-Cert": "Cert",
|
||||||
|
"X-Forwarded-Tls-Client-Cert-Info": "CertInfo",
|
||||||
},
|
},
|
||||||
expectedHeaders: map[string]string{
|
expectedHeaders: map[string]string{
|
||||||
"X-Forwarded-for": "",
|
"X-Forwarded-for": "",
|
||||||
|
"X-Forwarded-Uri": "",
|
||||||
|
"X-Forwarded-Method": "",
|
||||||
|
"X-Forwarded-Tls-Client-Cert": "",
|
||||||
|
"X-Forwarded-Tls-Client-Cert-Info": "",
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
desc: "insecure false with incoming X-Forwarded-For and valid Trusted Ips",
|
desc: "insecure false with incoming X-Forwarded headers and valid Trusted Ips",
|
||||||
insecure: false,
|
insecure: false,
|
||||||
trustedIps: []string{"10.0.1.100"},
|
trustedIps: []string{"10.0.1.100"},
|
||||||
remoteAddr: "10.0.1.100:80",
|
remoteAddr: "10.0.1.100:80",
|
||||||
incomingHeaders: map[string]string{
|
incomingHeaders: map[string]string{
|
||||||
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
|
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
|
||||||
|
"X-Forwarded-Uri": "/bar",
|
||||||
|
"X-Forwarded-Method": "GET",
|
||||||
|
"X-Forwarded-Tls-Client-Cert": "Cert",
|
||||||
|
"X-Forwarded-Tls-Client-Cert-Info": "CertInfo",
|
||||||
},
|
},
|
||||||
expectedHeaders: map[string]string{
|
expectedHeaders: map[string]string{
|
||||||
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
|
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
|
||||||
|
"X-Forwarded-Uri": "/bar",
|
||||||
|
"X-Forwarded-Method": "GET",
|
||||||
|
"X-Forwarded-Tls-Client-Cert": "Cert",
|
||||||
|
"X-Forwarded-Tls-Client-Cert-Info": "CertInfo",
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
desc: "insecure false with incoming X-Forwarded-For and invalid Trusted Ips",
|
desc: "insecure false with incoming X-Forwarded headers and invalid Trusted Ips",
|
||||||
insecure: false,
|
insecure: false,
|
||||||
trustedIps: []string{"10.0.1.100"},
|
trustedIps: []string{"10.0.1.100"},
|
||||||
remoteAddr: "10.0.1.101:80",
|
remoteAddr: "10.0.1.101:80",
|
||||||
incomingHeaders: map[string]string{
|
incomingHeaders: map[string]string{
|
||||||
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
|
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
|
||||||
|
"X-Forwarded-Uri": "/bar",
|
||||||
|
"X-Forwarded-Method": "GET",
|
||||||
|
"X-Forwarded-Tls-Client-Cert": "Cert",
|
||||||
|
"X-Forwarded-Tls-Client-Cert-Info": "CertInfo",
|
||||||
},
|
},
|
||||||
expectedHeaders: map[string]string{
|
expectedHeaders: map[string]string{
|
||||||
"X-Forwarded-for": "",
|
"X-Forwarded-for": "",
|
||||||
|
"X-Forwarded-Uri": "",
|
||||||
|
"X-Forwarded-Method": "",
|
||||||
|
"X-Forwarded-Tls-Client-Cert": "",
|
||||||
|
"X-Forwarded-Tls-Client-Cert-Info": "",
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
desc: "insecure false with incoming X-Forwarded-For and valid Trusted Ips CIDR",
|
desc: "insecure false with incoming X-Forwarded headers and valid Trusted Ips CIDR",
|
||||||
insecure: false,
|
insecure: false,
|
||||||
trustedIps: []string{"1.2.3.4/24"},
|
trustedIps: []string{"1.2.3.4/24"},
|
||||||
remoteAddr: "1.2.3.156:80",
|
remoteAddr: "1.2.3.156:80",
|
||||||
incomingHeaders: map[string]string{
|
incomingHeaders: map[string]string{
|
||||||
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
|
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
|
||||||
|
"X-Forwarded-Uri": "/bar",
|
||||||
|
"X-Forwarded-Method": "GET",
|
||||||
|
"X-Forwarded-Tls-Client-Cert": "Cert",
|
||||||
|
"X-Forwarded-Tls-Client-Cert-Info": "CertInfo",
|
||||||
},
|
},
|
||||||
expectedHeaders: map[string]string{
|
expectedHeaders: map[string]string{
|
||||||
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
|
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
|
||||||
|
"X-Forwarded-Uri": "/bar",
|
||||||
|
"X-Forwarded-Method": "GET",
|
||||||
|
"X-Forwarded-Tls-Client-Cert": "Cert",
|
||||||
|
"X-Forwarded-Tls-Client-Cert-Info": "CertInfo",
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
desc: "insecure false with incoming X-Forwarded-For and invalid Trusted Ips CIDR",
|
desc: "insecure false with incoming X-Forwarded headers and invalid Trusted Ips CIDR",
|
||||||
insecure: false,
|
insecure: false,
|
||||||
trustedIps: []string{"1.2.3.4/24"},
|
trustedIps: []string{"1.2.3.4/24"},
|
||||||
remoteAddr: "10.0.1.101:80",
|
remoteAddr: "10.0.1.101:80",
|
||||||
incomingHeaders: map[string]string{
|
incomingHeaders: map[string]string{
|
||||||
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
|
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
|
||||||
|
"X-Forwarded-Uri": "/bar",
|
||||||
|
"X-Forwarded-Method": "GET",
|
||||||
|
"X-Forwarded-Tls-Client-Cert": "Cert",
|
||||||
|
"X-Forwarded-Tls-Client-Cert-Info": "CertInfo",
|
||||||
},
|
},
|
||||||
expectedHeaders: map[string]string{
|
expectedHeaders: map[string]string{
|
||||||
"X-Forwarded-for": "",
|
"X-Forwarded-for": "",
|
||||||
|
"X-Forwarded-Uri": "",
|
||||||
|
"X-Forwarded-Method": "",
|
||||||
|
"X-Forwarded-Tls-Client-Cert": "",
|
||||||
|
"X-Forwarded-Tls-Client-Cert-Info": "",
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue