Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Mutate breaks functionality of StrictFirewallHttpHeaders with recently modified HttpHeaders#writabeHttpHeaders #16069

Closed
MichalStehlikCz opened this issue Nov 12, 2024 · 1 comment
Assignees
Labels
in: web An issue in web modules (web, webmvc) type: bug A general bug
Milestone

Comments

@MichalStehlikCz
Copy link

Describe the bug
When request wrapped by StrictServerWebExchangeFirewall / StrictFirewallHttpRequest is mutated, header sanitization provided by StrictFirewallHttpHeaders is removed

This is due to fact that

  • HttpHeaders#writabeHttpHeaders implementation is weird, instead of retrieval and copying of header values, it unwraps inner-most multivalue map and uses it in new (mutable) HttpHeaders instance
  • mutated request uses these new HttpHeaders and does not invoke http headers from delegate

Expected behavior
Mutated request should be protected by StrictFirewallHttpHeaders sanitization.

@MichalStehlikCz MichalStehlikCz added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Nov 12, 2024
@MichalStehlikCz
Copy link
Author

This test illustrates described behaviour

	@Test
	void getMutatedFirewalledExchangeGetHeaderWhenNotAllowedHeaderNameThenException() {
		this.firewall.setAllowedHeaderNames((name) -> !name.equals("bad name"));
		ServerWebExchange exchange = getFirewalledExchange();
		ServerWebExchange mutatedExchange = exchange.mutate()
				.request(exchange.getRequest().mutate().build())
				.build();
		HttpHeaders headers = mutatedExchange.getRequest().getHeaders();
		assertThatExceptionOfType(ServerExchangeRejectedException.class).isThrownBy(() -> headers.get("bad name"));
	}

@sjohnr sjohnr added the in: web An issue in web modules (web, webmvc) label Nov 14, 2024
@rwinch rwinch removed the status: waiting-for-triage An issue we've not yet triaged label Dec 11, 2024
@rwinch rwinch added this to the 6.3.6 milestone Dec 11, 2024
@rwinch rwinch closed this as completed in 6a0b683 Dec 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
in: web An issue in web modules (web, webmvc) type: bug A general bug
Projects
None yet
Development

No branches or pull requests

3 participants