Impact
Downstream services relying on the presence of headers set by the header mutator could be exploited. A client can drop the header set by the header mutator by including that header's name in the Connection header. Example minimal config:
- id: 'example'
upstream:
url: 'https://example.com'
match:
url: 'http://127.0.0.1:4455/'
methods:
- GET
authenticators:
- handler: anonymous
authorizer:
handler: allow
mutators:
- handler: header
config:
headers:
X-Subject: {{ .Subject }}curl -H "Connection: close,x-subject" http://127.0.0.1:4455/
The X-Subject header will not arrive at the downstream server. It is completely dropped. In case the downstream server handles such a request in an unexpected way, an attacker can exploit this, assuming they know or guess the internal header name.
Patches
c5cc7f7
Workarounds
The downstream server should handle the case that an expected header is not set by responding with an appropriate error.
References
See background info in golang/go#50580
Impact
Downstream services relying on the presence of headers set by the
headermutator could be exploited. A client can drop the header set by theheadermutator by including that header's name in theConnectionheader. Example minimal config:The
X-Subjectheader will not arrive at the downstream server. It is completely dropped. In case the downstream server handles such a request in an unexpected way, an attacker can exploit this, assuming they know or guess the internal header name.Patches
c5cc7f7
Workarounds
The downstream server should handle the case that an expected header is not set by responding with an appropriate error.
References
See background info in golang/go#50580