Skip to content

fix: Secure x-forwarded-* headers from untrusted proxies #4171

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 20 commits into from
Jul 18, 2025
Merged

fix: Secure x-forwarded-* headers from untrusted proxies #4171

merged 20 commits into from
Jul 18, 2025

Conversation

richard-salac
Copy link
Contributor

@richard-salac richard-salac commented Jun 17, 2025
edited
Loading

Description

Enable forwarding of X-Forwarded... headers from trusted proxies only, mitigates CVE-2025-41235. The pattern to identify trusted proxies can be set via apiml.security.forwardHeader.trustedProxies property. If the request is signed by the Zowe certificate, it is trusted even of the property is not set.

If the headers are received from an untrusted source, they are removed from the request and apiml creates new ones.

cherry-pick from v2: #4148 and #4188

In addition to the cherry-pick, the gateway-service/src/main/java/org/zowe/apiml/gateway/config/ConnectionsConfig.java had to be refactored and the https factory configuration was moved into the new gateway-service/src/main/java/org/zowe/apiml/gateway/config/HttpsFactoryConfig.java class. Some tests could not be initialized because of the change in bean order initialization. The original design used @PostConstruct to initialize the https configuration into a private field which was not guaranteed to happen when mocking the class for tests. The https configuration is now injected as a bean instead. Besides that, the modification better respects the separation of concerns principle and prefers the dependency injection over setting private fields via reflection.

Linked to # (issue)
Part of the # (epic)

Type of change

Please delete options that are not relevant.

  • fix: Bug fix (non-breaking change which fixes an issue)
  • feat: New feature (non-breaking change which adds functionality)
  • docs: Change in a documentation
  • refactor: Refactor the code
  • chore: Chore, repository cleanup, updates the dependencies.
  • BREAKING CHANGE or !: Breaking change (fix or feature that would cause existing functionality to not work as expected)

Checklist:

  • My code follows the style guidelines of this project
  • PR title conforms to commit message guideline ## Commit Message Structure Guideline
  • I have commented my code, particularly in hard-to-understand areas. In JS I did provide JSDoc
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes
  • The java tests in the area I was working on leverage @nested annotations
  • Any dependent changes have been merged and published in downstream modules

For more details about how should the code look like read the Contributing guideline

@github-actions github-actions bot added the Sensitive Sensitive change that requires peer review label Jun 17, 2025
@richard-salac richard-salac changed the base branch from v3.x.x to reboot/update/v3_java_only June 17, 2025 13:30
@richard-salac richard-salac changed the title Secure x-forwarded-* headers from untrusted proxies fix: Secure x-forwarded-* headers from untrusted proxies Jun 17, 2025
@richard-salac richard-salac changed the title fix: Secure x-forwarded-* headers from untrusted proxies DRAFT: fix: Secure x-forwarded-* headers from untrusted proxies Jun 17, 2025
@richard-salac richard-salac changed the base branch from reboot/update/v3_java_only to v3.x.x June 17, 2025 14:34
@EvaJavornicka EvaJavornicka moved this from New to In Progress in API Mediation Layer Backlog Management Jun 18, 2025
@richard-salac richard-salac force-pushed the reboot/trusted-proxies-v3 branch from 5978bd6 to 847c15f Compare July 8, 2025 13:57
@richard-salac richard-salac force-pushed the reboot/trusted-proxies-v3 branch 6 times, most recently from e6377d7 to d118c96 Compare July 14, 2025 12:31
@richard-salac richard-salac force-pushed the reboot/trusted-proxies-v3 branch from d118c96 to 9fcb475 Compare July 14, 2025 14:41
@richard-salac richard-salac changed the title DRAFT: fix: Secure x-forwarded-* headers from untrusted proxies fix: Secure x-forwarded-* headers from untrusted proxies Jul 15, 2025
arxioly
arxioly reviewed Jul 15, 2025
View reviewed changes
richard-salac and others added 7 commits July 15, 2025 19:11
@richard-salac @arxioly
Update gateway-service/src/main/java/org/zowe/apiml/gateway/filters/p…
386068e 
…roxyheaders/AdditionalRegistrationGatewayRegistry.java

Co-authored-by: Elena Kubantseva <[email protected]>
Signed-off-by: Richard Salač <[email protected]>
@richard-salac @arxioly
Update integration-tests/src/test/java/org/zowe/apiml/integration/pro…
d4c7098 
…xy/XForwardHeadersProxyTest.java

Co-authored-by: Elena Kubantseva <[email protected]>
Signed-off-by: Richard Salač <[email protected]>
@richard-salac @arxioly
Update gateway-service/src/test/java/org/zowe/apiml/gateway/acceptanc…
09e5429 
…e/xForwardHeaders/MutateRemoteAddressFilter.java

Co-authored-by: Elena Kubantseva <[email protected]>
Signed-off-by: Richard Salač <[email protected]>
@richard-salac @arxioly
Update integration-tests/src/test/java/org/zowe/apiml/integration/pro…
b4d3f6c 
…xy/XForwardHeadersProxyTest.java

Co-authored-by: Elena Kubantseva <[email protected]>
Signed-off-by: Richard Salač <[email protected]>
@richard-salac @arxioly
Update gateway-package/src/main/resources/bin/start.sh
60af29d 
Co-authored-by: Elena Kubantseva <[email protected]>
Signed-off-by: Richard Salač <[email protected]>
@richard-salac @arxioly
Update gateway-service/src/test/java/org/zowe/apiml/gateway/filters/p…
e08ec72 
…roxyheaders/AdditionalRegistrationGatewayRegistryTest.java

Co-authored-by: Elena Kubantseva <[email protected]>
Signed-off-by: Richard Salač <[email protected]>
@richard-salac @arxioly
Update gateway-service/src/test/java/org/zowe/apiml/gateway/filters/p…
ad72161 
…roxyheaders/AdditionalRegistrationGatewayRegistryTest.java

Co-authored-by: Elena Kubantseva <[email protected]>
Signed-off-by: Richard Salač <[email protected]>
richard-salac and others added 8 commits July 15, 2025 19:21
@richard-salac @arxioly
Update gateway-service/src/test/java/org/zowe/apiml/gateway/filters/p…
c55a85d 
…roxyheaders/AdditionalRegistrationGatewayRegistryTest.java

Co-authored-by: Elena Kubantseva <[email protected]>
Signed-off-by: Richard Salač <[email protected]>
@richard-salac @arxioly
Update integration-tests/src/test/java/org/zowe/apiml/integration/pro…
04060b6 
…xy/XForwardHeadersProxyTest.java

Co-authored-by: Elena Kubantseva <[email protected]>
Signed-off-by: Richard Salač <[email protected]>
cr
1e4eecf 
Signed-off-by: Richard Salac <[email protected]>
Signed-off-by: Richard Salač <[email protected]>
@richard-salac
Merge branch 'v3.x.x' into reboot/trusted-proxies-v3
28f3cdb
@richard-salac
cr
e830509 
Signed-off-by: Richard Salac <[email protected]>
@richard-salac
fix it config
5154e3d 
Signed-off-by: Richard Salac <[email protected]>
@richard-salac
Merge branch 'v3.x.x' into reboot/trusted-proxies-v3
ae45617
@richard-salac
resolve bean initialization conflict with modulith
6a9469b 
Signed-off-by: Richard Salac <[email protected]>
@richard-salac richard-salac force-pushed the reboot/trusted-proxies-v3 branch 2 times, most recently from dee4354 to 6a9469b Compare July 18, 2025 12:47
@richard-salac
fix it config
385ce08 
Signed-off-by: Richard Salac <[email protected]>

refactor it

Signed-off-by: Richard Salac <[email protected]>
@richard-salac richard-salac force-pushed the reboot/trusted-proxies-v3 branch from a8a47c5 to 385ce08 Compare July 18, 2025 13:17
arxioly
arxioly approved these changes Jul 18, 2025
View reviewed changes
Copy link
Contributor

@arxioly arxioly left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Other then order of the services in integration-tests.yml 🤓 LGTM

@richard-salac
reformat it setup
8575d84 
Signed-off-by: Richard Salac <[email protected]>
@richard-salac richard-salac force-pushed the reboot/trusted-proxies-v3 branch from 0e5fc37 to 8575d84 Compare July 18, 2025 15:15
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
21 New issues
0 Accepted issues

Measures
0 Security Hotspots
80.9% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@richard-salac richard-salac merged commit ff8c81d into v3.x.x Jul 18, 2025
103 of 105 checks passed
@richard-salac richard-salac deleted the reboot/trusted-proxies-v3 branch July 18, 2025 15:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@arxioly arxioly arxioly approved these changes

Assignees
No one assigned
Labels
Sensitive Sensitive change that requires peer review size/XXL
Projects
API Mediation Layer Backlog Management
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@richard-salac @arxioly