Skip to content

Commit

Permalink
Unset all possible dash/underscore combinations of REMOTE_USER
Browse files Browse the repository at this point in the history
While the backend will always see underscores, as dashes are not
permitted in environment variables that are used to pass these along,
the frontend should always filter all possible notations, as otherwise
an attacker could set the "REMOTE-USER" header which gets passed as
"REMOTE_USER" unfiltered.

Do the same for REMOTE_USER_* to avoid sneaking in groups that the
user does not belong to and other user preferences.
This however is only a theoretical attack vector once you can't
spoof the REMOTE_USER variable anymore.
  • Loading branch information
evgeni committed Aug 28, 2024
1 parent 26f9bef commit e1f52cc
Show file tree
Hide file tree
Showing 2 changed files with 39 additions and 0 deletions.
13 changes: 13 additions & 0 deletions manifests/config/apache.pp
Original file line number Diff line number Diff line change
Expand Up @@ -119,10 +119,23 @@
String[1] $keycloak_app_name = 'foreman-openidc',
String[1] $keycloak_realm = 'ssl-realm',
Array[String[1]] $request_headers_to_unset = [
'REMOTE-USER',
'REMOTE_USER',
'REMOTE-USER-EMAIL',
'REMOTE-USER_EMAIL',
'REMOTE_USER-EMAIL',
'REMOTE_USER_EMAIL',
'REMOTE-USER-FIRSTNAME',
'REMOTE-USER_FIRSTNAME',
'REMOTE_USER-FIRSTNAME',
'REMOTE_USER_FIRSTNAME',
'REMOTE-USER-LASTNAME',
'REMOTE-USER_LASTNAME',
'REMOTE_USER-LASTNAME',
'REMOTE_USER_LASTNAME',
'REMOTE-USER-GROUPS',
'REMOTE-USER_GROUPS',
'REMOTE_USER-GROUPS',
'REMOTE_USER_GROUPS',
],
) {
Expand Down
26 changes: 26 additions & 0 deletions spec/classes/foreman_config_apache_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -56,10 +56,23 @@
'set SSL_CLIENT_S_DN ""',
'set SSL_CLIENT_CERT ""',
'set SSL_CLIENT_VERIFY ""',
'unset REMOTE-USER',
'unset REMOTE_USER',
'unset REMOTE-USER-EMAIL',
'unset REMOTE-USER_EMAIL',
'unset REMOTE_USER-EMAIL',
'unset REMOTE_USER_EMAIL',
'unset REMOTE-USER-FIRSTNAME',
'unset REMOTE-USER_FIRSTNAME',
'unset REMOTE_USER-FIRSTNAME',
'unset REMOTE_USER_FIRSTNAME',
'unset REMOTE-USER-LASTNAME',
'unset REMOTE-USER_LASTNAME',
'unset REMOTE_USER-LASTNAME',
'unset REMOTE_USER_LASTNAME',
'unset REMOTE-USER-GROUPS',
'unset REMOTE-USER_GROUPS',
'unset REMOTE_USER-GROUPS',
'unset REMOTE_USER_GROUPS'
])
.with_proxy_pass(
Expand Down Expand Up @@ -192,10 +205,23 @@ class { 'apache':
'set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"',
'set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"',
'set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"',
'unset REMOTE-USER',
'unset REMOTE_USER',
'unset REMOTE-USER-EMAIL',
'unset REMOTE-USER_EMAIL',
'unset REMOTE_USER-EMAIL',
'unset REMOTE_USER_EMAIL',
'unset REMOTE-USER-FIRSTNAME',
'unset REMOTE-USER_FIRSTNAME',
'unset REMOTE_USER-FIRSTNAME',
'unset REMOTE_USER_FIRSTNAME',
'unset REMOTE-USER-LASTNAME',
'unset REMOTE-USER_LASTNAME',
'unset REMOTE_USER-LASTNAME',
'unset REMOTE_USER_LASTNAME',
'unset REMOTE-USER-GROUPS',
'unset REMOTE-USER_GROUPS',
'unset REMOTE_USER-GROUPS',
'unset REMOTE_USER_GROUPS'
])
.with_ssl_proxyengine(true)
Expand Down

0 comments on commit e1f52cc

Please sign in to comment.