58b7ae14ce
* remove support for v1 (cherry picked from commit 8630a7a991af74edc4030f57d37a4bc263202fde) * Security: Make proxy endpoints not leak sensitive HTTP headers Fixes CVE-2022-31130 (cherry picked from commit 2974574a53ab6d26be7b706e76271173a91fea3a) * Security: Fix do not forward login cookie in outgoing requests (cherry picked from commit 54a32fc83b233f5910495b5fcca0b4f881221538) * Add test for username/login field conflict (cherry picked from commit7aabcf2694) * Swap order of login fields (cherry picked from commit5ec176cada) * "Release: Updated versions in package to 8.5.14" (#547) Co-authored-by: Will Browne <will.browne@grafana.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> Co-authored-by: linoman <2051016+linoman@users.noreply.github.com> Co-authored-by: Grot (@grafanabot) <43478413+grafanabot@users.noreply.github.com>
64 lines
1.6 KiB
Go
64 lines
1.6 KiB
Go
package proxyutil
|
|
|
|
import (
|
|
"net"
|
|
"net/http"
|
|
"sort"
|
|
)
|
|
|
|
// PrepareProxyRequest prepares a request for being proxied.
|
|
// Removes X-Forwarded-Host, X-Forwarded-Port, X-Forwarded-Proto headers.
|
|
// Set X-Forwarded-For headers.
|
|
func PrepareProxyRequest(req *http.Request) {
|
|
req.Header.Del("X-Forwarded-Host")
|
|
req.Header.Del("X-Forwarded-Port")
|
|
req.Header.Del("X-Forwarded-Proto")
|
|
|
|
if req.RemoteAddr != "" {
|
|
remoteAddr, _, err := net.SplitHostPort(req.RemoteAddr)
|
|
if err != nil {
|
|
remoteAddr = req.RemoteAddr
|
|
}
|
|
if req.Header.Get("X-Forwarded-For") != "" {
|
|
req.Header.Set("X-Forwarded-For", req.Header.Get("X-Forwarded-For")+", "+remoteAddr)
|
|
} else {
|
|
req.Header.Set("X-Forwarded-For", remoteAddr)
|
|
}
|
|
}
|
|
}
|
|
|
|
// ClearCookieHeader clear cookie header, except for cookies specified to be kept (keepCookiesNames) if not in skipCookiesNames.
|
|
func ClearCookieHeader(req *http.Request, keepCookiesNames []string, skipCookiesNames []string) {
|
|
keepCookies := map[string]*http.Cookie{}
|
|
for _, c := range req.Cookies() {
|
|
for _, v := range keepCookiesNames {
|
|
if c.Name == v {
|
|
keepCookies[c.Name] = c
|
|
}
|
|
}
|
|
}
|
|
|
|
for _, v := range skipCookiesNames {
|
|
delete(keepCookies, v)
|
|
}
|
|
|
|
req.Header.Del("Cookie")
|
|
|
|
sortedCookies := []string{}
|
|
for name := range keepCookies {
|
|
sortedCookies = append(sortedCookies, name)
|
|
}
|
|
sort.Strings(sortedCookies)
|
|
|
|
for _, name := range sortedCookies {
|
|
c := keepCookies[name]
|
|
req.AddCookie(c)
|
|
}
|
|
}
|
|
|
|
// SetProxyResponseHeaders sets proxy response headers.
|
|
// Sets Content-Security-Policy: sandbox
|
|
func SetProxyResponseHeaders(header http.Header) {
|
|
header.Set("Content-Security-Policy", "sandbox")
|
|
}
|