Skip to content

fix(wasm): drop plugin-set Host / hop-by-hop headers on outbound HTTP#99

Merged
ndreno merged 1 commit into
mainfrom
sec/outbound-header-denylist
Jul 3, 2026
Merged

fix(wasm): drop plugin-set Host / hop-by-hop headers on outbound HTTP#99
ndreno merged 1 commit into
mainfrom
sec/outbound-header-denylist

Conversation

@ndreno

@ndreno ndreno commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

What

A plugin can set arbitrary headers on its outbound HTTP request (http_client.rs). Some of those must not be plugin-controlled:

  • Host is derived from the URL; a plugin-set override enables routing / cache / SSRF confusion.
  • hop-by-hop / framing headers (Content-Length, Transfer-Encoding, Connection, Keep-Alive, Proxy-Connection, Upgrade, TE, Trailer) are owned by the HTTP client; a plugin-set value enables request smuggling.

This filters them out before the request is built.

Not Authorization

Authorization is deliberately allowed — dispatchers such as ai-proxy legitimately authenticate to their upstream. (Verified: ai_proxy and proxy integration suites stay green.)

Scope

Addresses the outbound-header-injection portion of WA-9 (private tracker #3). Broker/WS egress allowlisting and the bounded worker pool from WA-9 remain open.

Tests

Unit tests for the denylist (case-insensitive deny of the forbidden set; Authorization/content-type/custom headers pass through). Smoke-tested locally: proxy (18) and ai_proxy (19) green.

A plugin could set arbitrary headers on its outbound HTTP request, including
Host (derived from the URL; an override enables routing/cache/SSRF confusion)
and message-framing / hop-by-hop headers (Content-Length, Transfer-Encoding,
Connection, etc.) that enable request smuggling.

Filter those out before building the outbound request. Authorization is
intentionally still allowed: dispatchers such as ai-proxy legitimately
authenticate to their upstream.

Addresses the outbound-header-injection part of WA-9 (private #3).
@ndreno ndreno merged commit 131b3da into main Jul 3, 2026
13 checks passed
@ndreno ndreno deleted the sec/outbound-header-denylist branch July 3, 2026 14:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant