Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use only alfanumeric characters in headers that forward end-user information #150

Open
turnerrainer opened this issue May 9, 2024 · 0 comments
Open

Use only alfanumeric characters in headers that forward end-user information #150

turnerrainer opened this issue May 9, 2024 · 0 comments
Labels
help wanted sec v2.1
Milestone
BYK v2.2

Comments

@turnerrainer
Copy link
Contributor

Data-Anonymizer and Resql use x-forwarded-for as header name to forward end-user IP-address to backend servers:

Data-Anonymizer/Docker_Project/Resql/target/classes/application.yml:userIPHeaderName: x-forwarded-for
Data-Anonymizer/Docker_Project/Resql/target/test-classes/application.yml:userIPHeaderName: x-forwarded-for
Data-Anonymizer/Docker_Project/Resql/Java.commons/uid-log/src/test/java/rig/commons/handlers/GenericHeaderLogHandlerTest.java:    private static final String HEADERNAME = "x-forwarded-for";
Data-Anonymizer/Docker_Project/Resql/src/main/java/rig/sqlms/config/RestConfiguration.java:    private String headerName = "x-forwarded-for";
Data-Anonymizer/Docker_Project/Resql/src/main/resources/application.yml:userIPHeaderName: x-forwarded-for
Data-Anonymizer/Docker_Project/Resql/src/test/resources/application.yml:userIPHeaderName: x-forwarded-for
Resql/src/main/java/rig/sqlms/config/RestConfiguration.java:    private String headerName = "x-forwarded-for";
Resql/src/main/resources/application.yml:userIPHeaderName: x-forwarded-for
Resql/src/test/resources/application.yml:userIPHeaderName: x-forwarded-for

Using non-alphanumeric symbols in header names that are used for forwarding end-user information might cause security issues in the future if the system starts to use a service that tries to keep backwards compatiblity with CGI scripts and end-user request headers are forwarded to such service. In this case, all non-alphanumeric characters in header names are replaced with underscores (_). A malicious end user request might already contain a header name that also converts to X_FORWARDED_FOR and the system might use the value from the users request.

Recommendation: instead of x-forwarded-for use xforwardedfor as the header name. This might also require a change in Tomcat configuration.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted sec v2.1
Projects
Bürokratt Sprint
Status: Ready
Milestone
BYK v2.2
Development

No branches or pull requests
6 participants
@jannostern @RayDNoper @1AhmedYasser @turnerrainer @varmoh @rasmusei