From c08ddd7dbf7bdc15bb225f4a822162ed0f8fe016 Mon Sep 17 00:00:00 2001 From: Chi Wang Date: Mon, 10 Oct 2022 06:28:26 -0700 Subject: [PATCH] Update GrpcRemoteDownloader to only include relevant headers. Fixes https://github.com/bazelbuild/bazel/security/advisories/GHSA-mxr8-q875-rhwq. RELNOTES[INC]: GrpcRemoteDownloader only includes relevant headers instead of sending all credentials. Closes #16439. PiperOrigin-RevId: 480069164 Change-Id: I49950311c04d1997d26832431d531a9036efdb18 --- .../remote/downloader/GrpcRemoteDownloader.java | 16 +++++++++++++--- .../downloader/GrpcRemoteDownloaderTest.java | 3 --- 2 files changed, 13 insertions(+), 6 deletions(-) diff --git a/src/main/java/com/google/devtools/build/lib/remote/downloader/GrpcRemoteDownloader.java b/src/main/java/com/google/devtools/build/lib/remote/downloader/GrpcRemoteDownloader.java index c3456eb687968c..da81887c632906 100644 --- a/src/main/java/com/google/devtools/build/lib/remote/downloader/GrpcRemoteDownloader.java +++ b/src/main/java/com/google/devtools/build/lib/remote/downloader/GrpcRemoteDownloader.java @@ -23,6 +23,7 @@ import build.bazel.remote.execution.v2.RequestMetadata; import com.google.common.annotations.VisibleForTesting; import com.google.common.base.Strings; +import com.google.common.collect.ImmutableSet; import com.google.devtools.build.lib.bazel.repository.downloader.Checksum; import com.google.devtools.build.lib.bazel.repository.downloader.Downloader; import com.google.devtools.build.lib.bazel.repository.downloader.HashOutputStream; @@ -171,7 +172,7 @@ static FetchBlobRequest newFetchBlobRequest( requestBuilder.addQualifiers( Qualifier.newBuilder() .setName(QUALIFIER_AUTH_HEADERS) - .setValue(authHeadersJson(authHeaders)) + .setValue(authHeadersJson(urls, authHeaders)) .build()); } @@ -197,15 +198,24 @@ private OutputStream newOutputStream( return out; } - private static String authHeadersJson(Map> authHeaders) { + private static String authHeadersJson( + List urls, Map> authHeaders) { + ImmutableSet hostSet = + urls.stream().map(URL::getHost).collect(ImmutableSet.toImmutableSet()); Map subObjects = new TreeMap<>(); for (Map.Entry> entry : authHeaders.entrySet()) { + URI uri = entry.getKey(); + // Only add headers that are relevant to the hosts. + if (!hostSet.contains(uri.getHost())) { + continue; + } + JsonObject subObject = new JsonObject(); Map orderedHeaders = new TreeMap<>(entry.getValue()); for (Map.Entry subEntry : orderedHeaders.entrySet()) { subObject.addProperty(subEntry.getKey(), subEntry.getValue()); } - subObjects.put(entry.getKey().toString(), subObject); + subObjects.put(uri.toString(), subObject); } JsonObject authHeadersJson = new JsonObject(); diff --git a/src/test/java/com/google/devtools/build/lib/remote/downloader/GrpcRemoteDownloaderTest.java b/src/test/java/com/google/devtools/build/lib/remote/downloader/GrpcRemoteDownloaderTest.java index 699076407647c2..6995ca911cb1fd 100644 --- a/src/test/java/com/google/devtools/build/lib/remote/downloader/GrpcRemoteDownloaderTest.java +++ b/src/test/java/com/google/devtools/build/lib/remote/downloader/GrpcRemoteDownloaderTest.java @@ -320,9 +320,6 @@ public void testFetchBlobRequest() throws Exception { + "\"http://example.com\":{" + "\"Another-Header\":\"another header content\"," + "\"Some-Header\":\"some header content\"" - + "}," - + "\"http://example.org\":{" - + "\"Org-Header\":\"org header content\"" + "}" + "}";