fix: filter web hook headers (#4048)

ory · Aug 23, 2024 · ddb838e · ddb838e
1 parent 9894d0a
commit ddb838e
Show file tree

Hide file tree

Showing 2 changed files with 71 additions and 14 deletions.
diff --git a/selfservice/hook/web_hook.go b/selfservice/hook/web_hook.go
@@ -9,6 +9,7 @@ import (
 	"fmt"
 	"io"
 	"net/http"
+	"net/textproto"
 	"time"
 
 	"github.com/dgraph-io/ristretto"
@@ -354,6 +355,8 @@ func (e *WebHook) execute(ctx context.Context, data *templateContext) error {
 			attribute.Bool("webhook.response.parse", parseResponse),
 		)
 
+		removeDisallowedHeaders(data)
+
 		req, err := builder.BuildRequest(ctx, data)
 		if errors.Is(err, request.ErrCancel) {
 			span.SetAttributes(attribute.Bool("webhook.jsonnet.canceled", true))
@@ -422,6 +425,36 @@ func (e *WebHook) execute(ctx context.Context, data *templateContext) error {
 	return nil
 }
 
+// RequestHeaderAllowList contains the allowed request headers that are forwarded
+// to the web hook target in canonical form (textproto.CanonicalMIMEHeaderKey).
+var RequestHeaderAllowList = map[string]struct{}{
+	"Accept":             {},
+	"Accept-Encoding":    {},
+	"Accept-Language":    {},
+	"Content-Length":     {},
+	"Content-Type":       {},
+	"Origin":             {},
+	"Priority":           {},
+	"Referer":            {},
+	"Sec-Ch-Ua":          {},
+	"Sec-Ch-Ua-Mobile":   {},
+	"Sec-Ch-Ua-Platform": {},
+	"Sec-Fetch-Dest":     {},
+	"Sec-Fetch-Mode":     {},
+	"Sec-Fetch-Site":     {},
+	"Sec-Fetch-User":     {},
+	"True-Client-Ip":     {},
+	"User-Agent":         {},
+}
+
+func removeDisallowedHeaders(data *templateContext) {
+	for key := range data.RequestHeaders {
+		if _, ok := RequestHeaderAllowList[textproto.CanonicalMIMEHeaderKey(key)]; !ok {
+			data.RequestHeaders.Del(key)
+		}
+	}
+}
+
 func parseWebhookResponse(resp *http.Response, id *identity.Identity) (err error) {
 	if resp == nil {
 		return errors.Errorf("empty response provided from the webhook")

diff --git a/selfservice/hook/web_hook_integration_test.go b/selfservice/hook/web_hook_integration_test.go
@@ -23,6 +23,7 @@ import (
 	"github.com/sirupsen/logrus/hooks/test"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"github.com/tidwall/sjson"
 	sdktrace "go.opentelemetry.io/otel/sdk/trace"
 	"go.opentelemetry.io/otel/sdk/trace/tracetest"
 	"golang.org/x/exp/slices"
@@ -117,26 +118,31 @@ func TestWebHooks(t *testing.T) {
 	}
 
 	bodyWithFlowOnly := func(req *http.Request, f flow.Flow) string {
-		h, _ := json.Marshal(req.Header)
-		return fmt.Sprintf(`{
+		body := fmt.Sprintf(`{
 					"flow_id": "%s",
-					"headers": %s,
 					"method": "%s",
 					"url": "%s",
 					"cookies": {
 						"Some-Cookie-1": "Some-Cookie-Value",
 						"Some-Cookie-2": "Some-other-Cookie-Value",
 						"Some-Cookie-3": "Third-Cookie-Value"
 					}
-				}`, f.GetID(), string(h), req.Method, "http://www.ory.sh/some_end_point")
+				}`, f.GetID(), req.Method, "http://www.ory.sh/some_end_point")
+		if len(req.Header) != 0 {
+			var err error
+			body, err = sjson.Set(body, "headers", req.Header)
+			if err != nil {
+				panic(err)
+			}
+		}
+
+		return body
 	}
 
 	bodyWithFlowAndIdentityAndTransientPayload := func(req *http.Request, f flow.Flow, s *session.Session, tp json.RawMessage) string {
-		h, _ := json.Marshal(req.Header)
-		return fmt.Sprintf(`{
+		body := fmt.Sprintf(`{
 					"flow_id": "%s",
 					"identity_id": "%s",
-					"headers": %s,
 					"method": "%s",
 					"url": "%s",
 					"cookies": {
@@ -145,16 +151,23 @@ func TestWebHooks(t *testing.T) {
 						"Some-Cookie-3": "Third-Cookie-Value"
 					},
 					"transient_payload": %s
-				}`, f.GetID(), s.Identity.ID, string(h), req.Method, "http://www.ory.sh/some_end_point", string(tp))
+				}`, f.GetID(), s.Identity.ID, req.Method, "http://www.ory.sh/some_end_point", string(tp))
+		if len(req.Header) != 0 {
+			var err error
+			body, err = sjson.Set(body, "headers", req.Header)
+			if err != nil {
+				panic(err)
+			}
+		}
+
+		return body
 	}
 
 	bodyWithFlowAndIdentityAndSessionAndTransientPayload := func(req *http.Request, f flow.Flow, s *session.Session, tp json.RawMessage) string {
-		h, _ := json.Marshal(req.Header)
-		return fmt.Sprintf(`{
+		body := fmt.Sprintf(`{
 					"flow_id": "%s",
 					"identity_id": "%s",
 					"session_id": "%s",
-					"headers": %s,
 					"method": "%s",
 					"url": "%s",
 					"cookies": {
@@ -163,7 +176,16 @@ func TestWebHooks(t *testing.T) {
 						"Some-Cookie-3": "Third-Cookie-Value"
 					},
 					"transient_payload": %s
-				}`, f.GetID(), s.Identity.ID, s.ID, string(h), req.Method, "http://www.ory.sh/some_end_point", string(tp))
+				}`, f.GetID(), s.Identity.ID, s.ID, req.Method, "http://www.ory.sh/some_end_point", string(tp))
+		if len(req.Header) != 0 {
+			var err error
+			body, err = sjson.Set(body, "headers", req.Header)
+			if err != nil {
+				panic(err)
+			}
+		}
+
+		return body
 	}
 
 	for _, tc := range []struct {
@@ -316,8 +338,10 @@ func TestWebHooks(t *testing.T) {
 							req := &http.Request{
 								Host: "www.ory.sh",
 								Header: map[string][]string{
-									"Some-Header": {"Some-Value"},
-									"Cookie":      {"Some-Cookie-1=Some-Cookie-Value; Some-Cookie-2=Some-other-Cookie-Value", "Some-Cookie-3=Third-Cookie-Value"},
+									"Some-Header":    {"Some-Value"},
+									"User-Agent":     {"Foo-Bar-Browser"},
+									"Invalid-Header": {"ignored"},
+									"Cookie":         {"Some-Cookie-1=Some-Cookie-Value; Some-Cookie-2=Some-other-Cookie-Value", "Some-Cookie-3=Third-Cookie-Value"},
 								},
 								RequestURI: "/some_end_point",
 								Method:     http.MethodPost,