Filter headers using whitelist, not blacklist

2025-04-24 09:48:58 -04:00 · 2016-04-13 16:50:18 -07:00 · 2016-04-13 16:50:18 -07:00 · b102e26ac3
commit b102e26ac3
parent 1ed0a2516f
3 changed files with 24 additions and 18 deletions
--- a/src/plugins/elasticsearch/index.js
+++ b/src/plugins/elasticsearch/index.js
@ -20,6 +20,7 @@ module.exports = function ({ Plugin }) {
        password: string(),
        shardTimeout: number().default(0),
        requestTimeout: number().default(30000),
+        requestHeaders: array().items(string()).single().default([]),
        pingTimeout: number().default(ref('requestTimeout')),
        startupTimeout: number().default(5000),
        ssl: object({
--- a/src/plugins/elasticsearch/lib/tests/map_uri.js
+++ b/src/plugins/elasticsearch/lib/tests/map_uri.js
@ -1,5 +1,6 @@
 import expect from 'expect.js';
 import mapUri from '../map_uri';
+import sinon from 'sinon';

 describe('plugins/elasticsearch', function () {
  describe('lib/map_uri', function () {
@ -8,14 +9,12 @@ describe('plugins/elasticsearch', function () {
    let request;

    beforeEach(function () {
+      const get = sinon.stub()
+      .withArgs('elasticsearch.url').returns('http://foobar:9200')
+      .withArgs('elasticsearch.requestHeaders').returns(['x-my-custom-HEADER', 'Authorization']);
+      const config = function () { return { get: get }; };
      server = {
-        config() {
-          return {
-            get() {
-              return 'http://foobar:9200';
-            }
-          };
-        }
+        config: config
      };

      request = {
@ -25,16 +24,19 @@ describe('plugins/elasticsearch', function () {
          'accept-encoding': 'gzip, deflate',
          origin: 'https://localhost:5601',
          'content-type': 'application/json',
-          accept: 'application/json, text/plain, */*'
+          'x-my-custom-header': '42',
+          accept: 'application/json, text/plain, */*',
+          authorization: '2343d322eda344390fdw42'
        }
      };
    });

-    it ('filters out the origin header from the client', function () {
+    it ('only keeps the whitelisted request headers', function () {
      mapUri(server)(request, function (err, upstreamUri, upstreamHeaders) {
        expect(err).to.be(null);
-        expect(upstreamHeaders).not.to.have.property('origin');
-        expect(Object.keys(upstreamHeaders).length).to.be(4);
+        expect(upstreamHeaders).to.have.property('authorization');
+        expect(upstreamHeaders).to.have.property('x-my-custom-header');
+        expect(Object.keys(upstreamHeaders).length).to.be(2);
      });
    });
  });
--- a/src/plugins/elasticsearch/lib/map_uri.js
+++ b/src/plugins/elasticsearch/lib/map_uri.js
@ -2,14 +2,17 @@ import querystring from 'querystring';
 import { resolve } from 'url';
 import _ from 'lodash';

-const filterHeaders = function (originalHeaders) {
-  const headersToRemove = [
-    'origin'
-  ];
-  return _.omit(originalHeaders, headersToRemove);
-};
-
 module.exports = function mapUri(server, prefix) {
+
+  const filterHeaders = function (originalHeaders) {
+    const headersToKeep = server.config().get('elasticsearch.requestHeaders');
+    const headersToKeepNormalized = headersToKeep.map(function (header) {
+      return header.trim().toLowerCase();
+    });
+
+    return _.pick(originalHeaders, headersToKeepNormalized);
+  };
+
  const config = server.config();
  return function (request, done) {
    const path = request.path.replace('/elasticsearch', '');