fix(auth-proxy-set-headers): Sanitize authorization header values

jkroepke · jkroepke · commit 748cf6ccbec7 · 2025-08-02T17:38:11.000+02:00
diff --git a/internal/ingress/controller/template/template.go b/internal/ingress/controller/template/template.go
@@ -619,8 +619,13 @@ func buildAuthProxySetHeaders(headers map[string]string) []string {
 	}
 
 	for name, value := range headers {
-		res = append(res, fmt.Sprintf("proxy_set_header '%v' '%v';", name, value))
+		if strings.ContainsAny(name, "\n\r") || strings.ContainsAny(value, "\n\r") {
+			continue
+		}
+
+		res = append(res, fmt.Sprintf("proxy_set_header %v %v;", strconv.Quote(name), strconv.Quote(value)))
 	}
+
 	sort.Strings(res)
 	return res
 }
diff --git a/internal/ingress/controller/template/template_test.go b/internal/ingress/controller/template/template_test.go
@@ -548,12 +548,23 @@ func TestBuildAuthResponseLua(t *testing.T) {
 
 func TestBuildAuthProxySetHeaders(t *testing.T) {
 	proxySetHeaders := map[string]string{
-		"header1": "value1",
-		"header2": "value2",
+		"Content-Security-Policy": "default-src 'self'; img-src 'self' example.com",
+		"Content-Type":            "application/json; charset=\"utf-8\"",
+		"header1":                 "value1",
+		"header2":                 "value2",
+		"Link":                    "<https://example.com>; rel=\"preload\"; as=\"script\"; crossorigin=\"anonymous\"",
+		"User-Agent":              "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36",
+		"new\rline":               "value1",
+		"newline2":                "valu\ne2",
 	}
+
 	expected := []string{
-		"proxy_set_header 'header1' 'value1';",
-		"proxy_set_header 'header2' 'value2';",
+		`proxy_set_header "Content-Security-Policy" "default-src 'self'; img-src 'self' example.com";`,
+		`proxy_set_header "Content-Type" "application/json; charset=\"utf-8\"";`,
+		`proxy_set_header "Link" "<https://example.com>; rel=\"preload\"; as=\"script\"; crossorigin=\"anonymous\"";`,
+		`proxy_set_header "User-Agent" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36";`,
+		`proxy_set_header "header1" "value1";`,
+		`proxy_set_header "header2" "value2";`,
 	}
 
 	headers := buildAuthProxySetHeaders(proxySetHeaders)

Original file line number	Diff line number	Diff line change
`@@ -619,8 +619,13 @@ func buildAuthProxySetHeaders(headers map[string]string) []string {`
`619`	`619`	`}`
`620`	`620`
`621`	`621`	`for name, value := range headers {`
`622`		`- res = append(res, fmt.Sprintf("proxy_set_header '%v' '%v';", name, value))`
	`622`	`+ if strings.ContainsAny(name, "\n\r") \|\| strings.ContainsAny(value, "\n\r") {`
	`623`	`+ continue`
	`624`	`+ }`
	`625`	`+`
	`626`	`+ res = append(res, fmt.Sprintf("proxy_set_header %v %v;", strconv.Quote(name), strconv.Quote(value)))`
`623`	`627`	`}`
	`628`	`+`
`624`	`629`	`sort.Strings(res)`
`625`	`630`	`return res`
`626`	`631`	`}`