Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Middleware to handle vendor forwarded proto #193

Open
wants to merge 13 commits into
base: main
Choose a base branch
from
Open

Middleware to handle vendor forwarded proto #193

Show file tree
Hide file tree
Changes from 7 commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
aaebc1e
migrating from rack
tomharvey Jun 5, 2024
fbe5006
fixing tests to work within rack-contrib harnass
tomharvey Jun 5, 2024
79158f1
linting with rubocop
tomharvey Jun 5, 2024
10963da
allow the middleware to be used for arbitrary and multiple headers
tomharvey Jun 8, 2024
bb21345
adding HeaderNameTransformer description
tomharvey Jun 8, 2024
fb1b50d
renaming test file for the new middleware name
tomharvey Jun 8, 2024
d37de4b
linting
tomharvey Jun 8, 2024
8a8a0a5
Update lib/rack/contrib/header_name_transformer.rb
tomharvey Jul 5, 2024
2ae7051
Update test/spec_rack_header_name_transformer.rb
tomharvey Jul 5, 2024
2c0f962
whitespace
tomharvey Jul 5, 2024
db13706
test that the old header key still exists
tomharvey Jul 5, 2024
85e4394
updating must_equal for minitest6 deprecation
tomharvey Jul 5, 2024
cca0b4f
updating test to cover multi-value header
tomharvey Jul 5, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ interface:
* `Rack::Cookies` - Adds simple cookie jar hash to env
* `Rack::Deflect` - Helps protect against DoS attacks.
* `Rack::Evil` - Lets the rack application return a response to the client from any place.
* `Rack::HeaderNameTransformer` - Change the name of a Header.
* `Rack::HostMeta` - Configures `/host-meta` using a block
* `Rack::JSONBodyParser` - Adds JSON request bodies to the Rack parameters hash.
* `Rack::JSONP` - Adds JSON-P support by stripping out the callback param and padding the response with the appropriate callback format.
Expand Down
1 change: 1 addition & 0 deletions lib/rack/contrib.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ def self.release
autoload :Deflect, "rack/contrib/deflect"
autoload :EnforceValidEncoding, "rack/contrib/enforce_valid_encoding"
autoload :ExpectationCascade, "rack/contrib/expectation_cascade"
autoload :HeaderNameTransformer, "rack/contrib/header_name_transformer"
autoload :HostMeta, "rack/contrib/host_meta"
autoload :GarbageCollector, "rack/contrib/garbagecollector"
autoload :JSONP, "rack/contrib/jsonp"
Expand Down
33 changes: 33 additions & 0 deletions lib/rack/contrib/header_name_transformer.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
# frozen_string_literal: true

module Rack
# Middleware to change the name of a header
#
# So, if a server upstream of Rack sends {'X-Header-Name': "value"}
#  you can change header to {'Whatever-You-Want': "value"}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's probably worth describing how existing values in the "target" header will be impacted, since HTTP headers are multi-valued.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unless I misunderstand RFC 2616 the multiple values would come into this stage of middleware as {'Whatever-You-Want': "value1, value2"}.

I've also seen https://github.com/rack/rack/blob/ed25abcde2a64a937efa1e59f1a0bb53d7ccecb8/test/spec_files.rb#L213C10-L213C20 where the multiple values are being passed into HTTP_RANGE.

Is this the kind of multi-value you're talking about?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If so, the change in the "Foo" header to contain "foo, bar" as the value should cover things.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, I wasn't clear that I was referring to the situation where (for whatever reason) there was already a value in (per the example) Whatever-You-Want. The current code overwrites the existing value, and that's a reasonable behaviour, but it's worth clearly stating that in the docs, and having the tests ensure no regressions in that behaviour.

#
# There is a specific use case when ensuring the scheme matches when
# comparing request.origin and request.base_url for CSRF checking,
# but Rack expects that value to be in the X_FORWARDED_PROTO header.
#
# Example Rails usage:
# If you use a vendor managed proxy or CDN which sends the proto in a header add
# `config.middleware.use Rack::SetXForwardedProtoHeader, 'Vendor-Forwarded-Proto-Header', 'X-Forwarded-Proto'`
tomharvey marked this conversation as resolved.
Show resolved Hide resolved
# to your application.rb file

class HeaderNameTransformer
def initialize(app, vendor_header, forwarded_header)
@app = app
# Rack expects to see UPPER_UNDERSCORED_HEADERS, never SnakeCased-Dashed-Headers
@vendor_header = "HTTP_#{vendor_header.upcase.gsub '-', '_'}"
@forwarded_header = "HTTP_#{forwarded_header.upcase.gsub '-', '_'}"
end

def call(env)
if (value = env[@vendor_header])
env[@forwarded_header] = value
end
@app.call(env)
end
end
end
60 changes: 60 additions & 0 deletions test/spec_rack_header_name_transformer.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
# frozen_string_literal: true

require 'minitest/autorun'
require 'rack/contrib/runtime'

describe Rack::HeaderNameTransformer do
mpalmer marked this conversation as resolved.
Show resolved Hide resolved
response = ->(_e) { [200, {}, []] }

it 'leaves the value of headers intact if there is no matching vendor header passed to override it in the request' do
vendor_header = 'not passed in the request'
env = Rack::MockRequest.env_for('/', 'HTTP_X_FORWARDED_PROTO' => 'http')

Rack::Lint.new(Rack::HeaderNameTransformer.new(response, vendor_header, 'bar')).call env

env['HTTP_X_FORWARDED_PROTO'].must_equal 'http'
end

it 'copy the value of the vendor header to a newly named header' do
env = Rack::MockRequest.env_for('/', { 'HTTP_VENDOR' => 'value', 'HTTP_FOO' => 'foo' })

Rack::Lint.new(Rack::HeaderNameTransformer.new(response, 'Vendor', 'Standard')).call env
Rack::Lint.new(Rack::HeaderNameTransformer.new(response, 'Foo', 'Bar')).call env

env['HTTP_STANDARD'].must_equal 'value'
env['HTTP_BAR'].must_equal 'foo'
end

# Real world headers and use cases
it 'copy the value of a vendor forward proto header to the standardised formward proto header' do
tomharvey marked this conversation as resolved.
Show resolved Hide resolved
env = Rack::MockRequest.env_for('/', 'HTTP_VENDOR_FORWARDED_PROTO_HEADER' => 'https')

Rack::Lint.new(
Rack::HeaderNameTransformer.new(
response,
'Vendor-Forwarded-Proto-Header',
'X-Forwarded-Proto'
)
).call env

env['HTTP_X_FORWARDED_PROTO'].must_equal 'https'
end

it 'copy the value of a vendor forward proto header to the standardised header, overwriting existing request value' do
env = Rack::MockRequest.env_for(
'/',
'HTTP_VENDOR_FORWARDED_PROTO_HEADER' => 'https',
'HTTP_X_FORWARDED_PROTO' => 'http'
)

Rack::Lint.new(
Rack::HeaderNameTransformer.new(
response,
'Vendor-Forwarded-Proto-Header',
'X-Forwarded-Proto'
)
).call env

env['HTTP_X_FORWARDED_PROTO'].must_equal 'https'
end
end