git-gateway icon indicating copy to clipboard operation
git-gateway copied to clipboard

Published 20 hours ago verified publisher icon netlify

Clean headers before forwarding requests

Open jose-ledesma opened this issue 4 years ago • 2 comments

- Do you want to request a feature or report a bug? Bug

- What is the current behavior? git-gateway is forwarding some Headers it should not (X-Forwarded-For, Client-IP), which may trigger undesired behaviors (see #41 )

- If the current behavior is a bug, please provide the steps to reproduce. We have detected than when forwarding the Client-IP header to GitLab, its api detected an Spoofing attempt (because X-Forwarded-For and Client-IP did not match)

- What is the expected behavior? Forwarded request should be clean of unneeded headers.

- Please mention your Go version, and operating system version.

jose-ledesma avatar Nov 19 '19 10:11 jose-ledesma

Hello, can I get some more information on this...is this just for GitLab? Or all forwarded requests should be cleaned of those headers?

aarushik93 avatar Apr 09 '20 14:04 aarushik93

i'd say it should happen for all git providers.

it could be useful to get a build running on staging that logs all request headers, so you can know which to filter. alternatively, an allow-list would make sense, because we can lookup what headers can be passed to those APIs

mraerino avatar Apr 24 '20 15:04 mraerino