filter out headers which oauth2_proxy should control

if configured to set a header, make sure to either set it or delete it from the incoming request, to avoid it being spoofed in some cases inspired by oauth2-proxy/oauth2-proxy#226
ploxiln · Feb 2, 2020 · ff28e3e · ff28e3e
1 parent a78806b
commit ff28e3e
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 9 deletions.
diff --git a/main.go b/main.go
@@ -30,8 +30,8 @@ func mainFlagSet() *flag.FlagSet {
 	flagSet.String("redirect-url", "", "the OAuth Redirect URL. ie: \"https://internalapp.yourcompany.com/oauth2/callback\"")
 	flagSet.Bool("set-xauthrequest", false, "set X-Auth-Request-User and X-Auth-Request-Email response headers (useful in Nginx auth_request mode)")
 	flagSet.Var(&upstreams, "upstream", "the http url(s) of the upstream endpoint or file:// paths for static files. Routing is based on the path")
-	flagSet.Bool("pass-basic-auth", true, "pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream")
 	flagSet.Bool("pass-user-headers", true, "pass X-Forwarded-User and X-Forwarded-Email information to upstream")
+	flagSet.Bool("pass-basic-auth", true, "pass HTTP Basic Auth header to upstream")
 	flagSet.String("basic-auth-password", "", "the password to set when passing the HTTP Basic Auth header")
 	flagSet.Bool("pass-access-token", false, "pass OAuth access_token to upstream via X-Forwarded-Access-Token header")
 	flagSet.Bool("pass-host-header", true, "pass the request Host Header to upstream")

diff --git a/oauthproxy.go b/oauthproxy.go
@@ -728,15 +728,13 @@ func (p *OAuthProxy) Authenticate(rw http.ResponseWriter, req *http.Request) int
 	// At this point, the user is authenticated. proxy normally
 	if p.PassBasicAuth {
 		req.SetBasicAuth(session.User, p.BasicAuthPassword)
-		req.Header["X-Forwarded-User"] = []string{session.User}
-		if session.Email != "" {
-			req.Header["X-Forwarded-Email"] = []string{session.Email}
-		}
 	}
 	if p.PassUserHeaders {
-		req.Header["X-Forwarded-User"] = []string{session.User}
+		req.Header.Set("X-Forwarded-User", session.User)
 		if session.Email != "" {
-			req.Header["X-Forwarded-Email"] = []string{session.Email}
+			req.Header.Set("X-Forwarded-Email", session.Email)
+		} else {
+			req.Header.Del("X-Forwarded-Email")
 		}
 	}
 	if p.SetXAuthRequest {
@@ -748,8 +746,12 @@ func (p *OAuthProxy) Authenticate(rw http.ResponseWriter, req *http.Request) int
 			rw.Header().Set("X-Auth-Request-Access-Token", session.AccessToken)
 		}
 	}
-	if p.PassAccessToken && session.AccessToken != "" {
-		req.Header["X-Forwarded-Access-Token"] = []string{session.AccessToken}
+	if p.PassAccessToken {
+		if session.AccessToken != "" {
+			req.Header.Set("X-Forwarded-Access-Token", session.AccessToken)
+		} else {
+			req.Header.Del("X-Forwarded-Access-Token")
+		}
 	}
 	if session.Email == "" {
 		rw.Header().Set("GAP-Auth", session.User)