remove outgoing headers for the proxy

davidblasby · Dec 16, 2024 · 083f73a · 083f73a
1 parent 4fbdefd
commit 083f73a
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 6 deletions.
diff --git a/web/src/main/java/org/fao/geonet/proxy/URITemplateProxyServlet.java b/web/src/main/java/org/fao/geonet/proxy/URITemplateProxyServlet.java
@@ -72,6 +72,8 @@
 import java.util.regex.PatternSyntaxException;
 import java.util.stream.Collectors;
 
+import static org.apache.commons.lang3.StringUtils.isBlank;
+
 /**
  * This is a class extending the real proxy to make sure we can tweak specifics like removing the CSRF token on requests
  *
@@ -95,12 +97,16 @@ public class URITemplateProxyServlet extends ProxyServlet {
     private static final long serialVersionUID = 4847856943273604410L;
     private static final String P_SECURITY_MODE = "securityMode";
     private static final String P_IS_SECURED = "isSecured";
+    private static final String P_DISALLOW_HEADERS = "disallowHeaders";
+
     private static final String TARGET_URI_NAME = "targetUri";
     private static final String P_EXCLUDE_HOSTS = "excludeHosts";
     private static final String P_ALLOW_PORTS = "allowPorts";
     private static final String ATTR_QUERY_STRING =
         URITemplateProxyServlet.class.getSimpleName() + ".queryString";
 
+    protected List<String> disallowHeaders = new ArrayList<>();
+
     /*
      * These are the "hop-by-hop" headers that should not be copied.
      * http://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html Overriding
@@ -133,6 +139,15 @@ public class URITemplateProxyServlet extends ProxyServlet {
     // Allowed ports allowed to access through the proxy
     private Set<Integer> allowPorts = new HashSet<>(Arrays.asList(80, 443));
 
+    @Override
+    protected void copyRequestHeader(HttpServletRequest servletRequest, HttpRequest proxyRequest,
+                                     String headerName) {
+        if (disallowHeaders.contains(headerName)) {
+            return; // dont copy
+        }
+        super.copyRequestHeader(servletRequest,proxyRequest,headerName);
+    }
+
     /**
      * Init some properties from the servlet's init parameters. They try to be resolved the same way other GeoNetwork
      * configuration properties are resolved. If after checking externally no configuration can be found it relies into
@@ -159,6 +174,11 @@ public class URITemplateProxyServlet extends ProxyServlet {
      */
     @Override
     protected void initTarget() throws ServletException {
+        //parse the disallowHeaders
+        if (!isBlank(getConfigParam(P_DISALLOW_HEADERS))) {
+            disallowHeaders =  Arrays.asList(getConfigParam(P_DISALLOW_HEADERS).split(","));
+        }
+
         securityMode = SECURITY_MODE.parse(getConfigParam(P_SECURITY_MODE));
         String doForwardHostString = getConfigParam(P_FORWARDEDHOST);
         if (doForwardHostString != null) {
@@ -173,7 +193,7 @@ protected void initTarget() throws ServletException {
         targetUriTemplate = getConfigValue(TARGET_URI_NAME);
 
         // If not set externally try to use the value from web.xml
-        if (StringUtils.isBlank(targetUriTemplate)) {
+        if (isBlank(targetUriTemplate)) {
             targetUriTemplate = getConfigParam(P_TARGET_URI);
             if (targetUriTemplate == null) {
                 throw new ServletException(P_TARGET_URI + "  is required in web.xml or set externally");
@@ -185,7 +205,7 @@ protected void initTarget() throws ServletException {
 
         this.username = getConfigValue("username");
         this.password = getConfigValue("password");
-        if (StringUtils.isBlank(this.username)) {
+        if (isBlank(this.username)) {
             this.username = getConfigParam("username");
             this.password = getConfigParam("password");
         }
@@ -196,7 +216,7 @@ protected void initTarget() throws ServletException {
         }
 
         String excludeHosts = getConfigValue(P_EXCLUDE_HOSTS);
-        if (StringUtils.isBlank(excludeHosts)) {
+        if (isBlank(excludeHosts)) {
             excludeHosts = getConfigParam(P_EXCLUDE_HOSTS);
         }
 
@@ -209,7 +229,7 @@ protected void initTarget() throws ServletException {
         }
 
         String additionalAllowPorts = getConfigValue(P_ALLOW_PORTS);
-        if (StringUtils.isBlank(additionalAllowPorts)) {
+        if (isBlank(additionalAllowPorts)) {
             additionalAllowPorts = getConfigParam(P_ALLOW_PORTS);
         }
 
@@ -236,7 +256,7 @@ private String getConfigValue(String suffix) {
         result = resolveConfigValue(webappName + "." + getServletName() + "." + suffix);
 
 
-        if (StringUtils.isBlank(result)) {
+        if (isBlank(result)) {
             // GEONETWORK is the default prefix
 
             LOGGER.info(
@@ -464,7 +484,7 @@ protected void service(HttpServletRequest servletRequest, HttpServletResponse se
 
     private boolean isUrlAllowed(HttpServletRequest servletRequest) {
         String url = servletRequest.getParameter("url");
-        if (StringUtils.isBlank(url)) {
+        if (isBlank(url)) {
             return true;
         }
 

diff --git a/web/src/main/webResources/WEB-INF/web.xml b/web/src/main/webResources/WEB-INF/web.xml
@@ -404,6 +404,15 @@
       <param-name>log</param-name>
       <param-value>false</param-value>
     </init-param>
+    <init-param>
+      <param-name>disallowHeaders</param-name>
+      <!-- comma separated list of header to NOT send to the remote proxy-ed server -->
+      <!--
+           This is the standard gn5->gn4 security header name. It should not be sent to
+           external services!
+       -->
+      <param-value>gn5.to.gn4.trusted.json.auth</param-value>
+    </init-param>
     <init-param>
       <param-name>http.protocol.handle-redirects</param-name>
       <param-value>true</param-value>