Forbid setting the Location and Refresh custom response headers (#98129) (#98206)

# Conflicts: # src/core/server/http/http_config.ts
2025-04-24 01:38:56 -04:00 · 2021-04-23 17:09:08 -04:00 · 2021-04-23 17:09:08 -04:00 · b468ed7b75
commit b468ed7b75
parent 2860c95fcf
2 changed files with 41 additions and 0 deletions
--- a/src/core/server/http/http_config.test.ts
+++ b/src/core/server/http/http_config.test.ts
@ -252,6 +252,34 @@ test('accepts any type of objects for custom headers', () => {
  expect(() => httpSchema.validate(obj)).not.toThrow();
 });

+test('forbids the "location" custom response header', () => {
+  const httpSchema = config.schema;
+  const obj = {
+    customResponseHeaders: {
+      location: 'string',
+      Location: 'string',
+      lOcAtIoN: 'string',
+    },
+  };
+  expect(() => httpSchema.validate(obj)).toThrowErrorMatchingInlineSnapshot(
+    `"[customResponseHeaders]: The following custom response headers are not allowed to be set: location, Location, lOcAtIoN"`
+  );
+});
+
+test('forbids the "refresh" custom response header', () => {
+  const httpSchema = config.schema;
+  const obj = {
+    customResponseHeaders: {
+      refresh: 'string',
+      Refresh: 'string',
+      rEfReSh: 'string',
+    },
+  };
+  expect(() => httpSchema.validate(obj)).toThrowErrorMatchingInlineSnapshot(
+    `"[customResponseHeaders]: The following custom response headers are not allowed to be set: refresh, Refresh, rEfReSh"`
+  );
+});
+
 describe('with TLS', () => {
  test('throws if TLS is enabled but `redirectHttpFromPort` is equal to `port`', () => {
    const httpSchema = config.schema;
--- a/src/core/server/http/http_config.ts
+++ b/src/core/server/http/http_config.ts
@ -20,6 +20,9 @@ const hostURISchema = schema.uri({ scheme: ['http', 'https'] });
 const match = (regex: RegExp, errorMsg: string) => (str: string) =>
  regex.test(str) ? undefined : errorMsg;

+// The lower-case set of response headers which are forbidden within `customResponseHeaders`.
+const RESPONSE_HEADER_DENY_LIST = ['location', 'refresh'];
+
 // before update to make sure it's in sync with validation rules in Legacy
 // https://github.com/elastic/kibana/blob/master/src/legacy/server/config/schema.js
 export const config = {
@ -58,6 +61,16 @@ export const config = {
      ),
      customResponseHeaders: schema.recordOf(schema.string(), schema.any(), {
        defaultValue: {},
+        validate(value) {
+          const forbiddenKeys = Object.keys(value).filter((headerName) =>
+            RESPONSE_HEADER_DENY_LIST.includes(headerName.toLowerCase())
+          );
+          if (forbiddenKeys.length > 0) {
+            return `The following custom response headers are not allowed to be set: ${forbiddenKeys.join(
+              ', '
+            )}`;
+          }
+        },
      }),
      host: schema.string({
        defaultValue: 'localhost',