fix(wasm): drop plugin-set Host / hop-by-hop headers on outbound HTTP#99
Merged
Conversation
A plugin could set arbitrary headers on its outbound HTTP request, including Host (derived from the URL; an override enables routing/cache/SSRF confusion) and message-framing / hop-by-hop headers (Content-Length, Transfer-Encoding, Connection, etc.) that enable request smuggling. Filter those out before building the outbound request. Authorization is intentionally still allowed: dispatchers such as ai-proxy legitimately authenticate to their upstream. Addresses the outbound-header-injection part of WA-9 (private #3).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
A plugin can set arbitrary headers on its outbound HTTP request (
http_client.rs). Some of those must not be plugin-controlled:Hostis derived from the URL; a plugin-set override enables routing / cache / SSRF confusion.Content-Length,Transfer-Encoding,Connection,Keep-Alive,Proxy-Connection,Upgrade,TE,Trailer) are owned by the HTTP client; a plugin-set value enables request smuggling.This filters them out before the request is built.
Not
AuthorizationAuthorizationis deliberately allowed — dispatchers such asai-proxylegitimately authenticate to their upstream. (Verified: ai_proxy and proxy integration suites stay green.)Scope
Addresses the outbound-header-injection portion of WA-9 (private tracker #3). Broker/WS egress allowlisting and the bounded worker pool from WA-9 remain open.
Tests
Unit tests for the denylist (case-insensitive deny of the forbidden set; Authorization/content-type/custom headers pass through). Smoke-tested locally: proxy (18) and ai_proxy (19) green.