Skip to content

Commit

Permalink
fix(auth): ignore case when comparing http headers (#8356)
Browse files Browse the repository at this point in the history
  • Loading branch information
@lix-mms
lix-mms authored Jul 31, 2023
1 parent 2ca7f56 commit 352a54a
Showing 1 changed file with 6 additions and 6 deletions.
12 changes: 6 additions & 6 deletions datahub-frontend/app/controllers/Application.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -136,11 +136,11 @@ public CompletableFuture<Result> proxy(String path, Http.Request request) throws
.stream()
// Remove X-DataHub-Actor to prevent malicious delegation.
.filter(entry -> !AuthenticationConstants.LEGACY_X_DATAHUB_ACTOR_HEADER.equalsIgnoreCase(entry.getKey()))
.filter(entry -> !Http.HeaderNames.CONTENT_LENGTH.equals(entry.getKey()))
.filter(entry -> !Http.HeaderNames.CONTENT_TYPE.equals(entry.getKey()))
.filter(entry -> !Http.HeaderNames.AUTHORIZATION.equals(entry.getKey()))
.filter(entry -> !Http.HeaderNames.CONTENT_LENGTH.equalsIgnoreCase(entry.getKey()))
.filter(entry -> !Http.HeaderNames.CONTENT_TYPE.equalsIgnoreCase(entry.getKey()))
.filter(entry -> !Http.HeaderNames.AUTHORIZATION.equalsIgnoreCase(entry.getKey()))
// Remove Host s.th. service meshes do not route to wrong host
.filter(entry -> !Http.HeaderNames.HOST.equals(entry.getKey()))
.filter(entry -> !Http.HeaderNames.HOST.equalsIgnoreCase(entry.getKey()))
.collect(Collectors.toMap(Map.Entry::getKey, Map.Entry::getValue))
)
.addHeader(Http.HeaderNames.AUTHORIZATION, authorizationHeaderValue)
Expand All @@ -152,8 +152,8 @@ public CompletableFuture<Result> proxy(String path, Http.Request request) throws
final ResponseHeader header = new ResponseHeader(apiResponse.getStatus(), apiResponse.getHeaders()
.entrySet()
.stream()
.filter(entry -> !Http.HeaderNames.CONTENT_LENGTH.equals(entry.getKey()))
.filter(entry -> !Http.HeaderNames.CONTENT_TYPE.equals(entry.getKey()))
.filter(entry -> !Http.HeaderNames.CONTENT_LENGTH.equalsIgnoreCase(entry.getKey()))
.filter(entry -> !Http.HeaderNames.CONTENT_TYPE.equalsIgnoreCase(entry.getKey()))
.map(entry -> Pair.of(entry.getKey(), String.join(";", entry.getValue())))
.collect(Collectors.toMap(Pair::getFirst, Pair::getSecond)));
final HttpEntity body = new HttpEntity.Strict(apiResponse.getBodyAsBytes(), Optional.ofNullable(apiResponse.getContentType()));
Expand Down

0 comments on commit 352a54a

Please sign in to comment.