Skip to content

fix: Secure x-forwarded-* headers from untrusted proxies #4171

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 20 commits into from
Jul 18, 2025

Conversation

richard-salac
Copy link
Contributor

@richard-salac richard-salac commented Jun 17, 2025

Description

Enable forwarding of X-Forwarded... headers from trusted proxies only, mitigates CVE-2025-41235. The pattern to identify trusted proxies can be set via apiml.security.forwardHeader.trustedProxies property. If the request is signed by the Zowe certificate, it is trusted even of the property is not set.

If the headers are received from an untrusted source, they are removed from the request and apiml creates new ones.

cherry-pick from v2: #4148 and #4188

In addition to the cherry-pick, the gateway-service/src/main/java/org/zowe/apiml/gateway/config/ConnectionsConfig.java had to be refactored and the https factory configuration was moved into the new gateway-service/src/main/java/org/zowe/apiml/gateway/config/HttpsFactoryConfig.java class. Some tests could not be initialized because of the change in bean order initialization. The original design used @PostConstruct to initialize the https configuration into a private field which was not guaranteed to happen when mocking the class for tests. The https configuration is now injected as a bean instead. Besides that, the modification better respects the separation of concerns principle and prefers the dependency injection over setting private fields via reflection.

Linked to # (issue)
Part of the # (epic)

Type of change

Please delete options that are not relevant.

  • fix: Bug fix (non-breaking change which fixes an issue)
  • feat: New feature (non-breaking change which adds functionality)
  • docs: Change in a documentation
  • refactor: Refactor the code
  • chore: Chore, repository cleanup, updates the dependencies.
  • BREAKING CHANGE or !: Breaking change (fix or feature that would cause existing functionality to not work as expected)

Checklist:

  • My code follows the style guidelines of this project
  • PR title conforms to commit message guideline ## Commit Message Structure Guideline
  • I have commented my code, particularly in hard-to-understand areas. In JS I did provide JSDoc
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes
  • The java tests in the area I was working on leverage @nested annotations
  • Any dependent changes have been merged and published in downstream modules

For more details about how should the code look like read the Contributing guideline

@github-actions github-actions bot added the Sensitive Sensitive change that requires peer review label Jun 17, 2025
@richard-salac richard-salac changed the base branch from v3.x.x to reboot/update/v3_java_only June 17, 2025 13:30
@richard-salac richard-salac changed the title Secure x-forwarded-* headers from untrusted proxies fix: Secure x-forwarded-* headers from untrusted proxies Jun 17, 2025
@richard-salac richard-salac changed the title fix: Secure x-forwarded-* headers from untrusted proxies DRAFT: fix: Secure x-forwarded-* headers from untrusted proxies Jun 17, 2025
@richard-salac richard-salac changed the base branch from reboot/update/v3_java_only to v3.x.x June 17, 2025 14:34
@EvaJavornicka EvaJavornicka moved this from New to In Progress in API Mediation Layer Backlog Management Jun 18, 2025
@richard-salac richard-salac force-pushed the reboot/trusted-proxies-v3 branch from 5978bd6 to 847c15f Compare July 8, 2025 13:57
@richard-salac richard-salac force-pushed the reboot/trusted-proxies-v3 branch 6 times, most recently from e6377d7 to d118c96 Compare July 14, 2025 12:31
@richard-salac richard-salac force-pushed the reboot/trusted-proxies-v3 branch from d118c96 to 9fcb475 Compare July 14, 2025 14:41
@richard-salac richard-salac changed the title DRAFT: fix: Secure x-forwarded-* headers from untrusted proxies fix: Secure x-forwarded-* headers from untrusted proxies Jul 15, 2025
richard-salac and others added 7 commits July 15, 2025 19:11
…roxyheaders/AdditionalRegistrationGatewayRegistry.java

Co-authored-by: Elena Kubantseva <[email protected]>
Signed-off-by: Richard Salač <[email protected]>
…xy/XForwardHeadersProxyTest.java

Co-authored-by: Elena Kubantseva <[email protected]>
Signed-off-by: Richard Salač <[email protected]>
…e/xForwardHeaders/MutateRemoteAddressFilter.java

Co-authored-by: Elena Kubantseva <[email protected]>
Signed-off-by: Richard Salač <[email protected]>
…xy/XForwardHeadersProxyTest.java

Co-authored-by: Elena Kubantseva <[email protected]>
Signed-off-by: Richard Salač <[email protected]>
Co-authored-by: Elena Kubantseva <[email protected]>
Signed-off-by: Richard Salač <[email protected]>
…roxyheaders/AdditionalRegistrationGatewayRegistryTest.java

Co-authored-by: Elena Kubantseva <[email protected]>
Signed-off-by: Richard Salač <[email protected]>
…roxyheaders/AdditionalRegistrationGatewayRegistryTest.java

Co-authored-by: Elena Kubantseva <[email protected]>
Signed-off-by: Richard Salač <[email protected]>
richard-salac and others added 8 commits July 15, 2025 19:21
…roxyheaders/AdditionalRegistrationGatewayRegistryTest.java

Co-authored-by: Elena Kubantseva <[email protected]>
Signed-off-by: Richard Salač <[email protected]>
…xy/XForwardHeadersProxyTest.java

Co-authored-by: Elena Kubantseva <[email protected]>
Signed-off-by: Richard Salač <[email protected]>
cr
Signed-off-by: Richard Salac <[email protected]>
Signed-off-by: Richard Salač <[email protected]>
Signed-off-by: Richard Salac <[email protected]>
Signed-off-by: Richard Salac <[email protected]>
@richard-salac richard-salac force-pushed the reboot/trusted-proxies-v3 branch 2 times, most recently from dee4354 to 6a9469b Compare July 18, 2025 12:47
Signed-off-by: Richard Salac <[email protected]>

refactor it

Signed-off-by: Richard Salac <[email protected]>
@richard-salac richard-salac force-pushed the reboot/trusted-proxies-v3 branch from a8a47c5 to 385ce08 Compare July 18, 2025 13:17
Copy link
Contributor

@arxioly arxioly left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Other then order of the services in integration-tests.yml 🤓 LGTM

Signed-off-by: Richard Salac <[email protected]>
@richard-salac richard-salac force-pushed the reboot/trusted-proxies-v3 branch from 0e5fc37 to 8575d84 Compare July 18, 2025 15:15
Copy link

@richard-salac richard-salac merged commit ff8c81d into v3.x.x Jul 18, 2025
103 of 105 checks passed
@richard-salac richard-salac deleted the reboot/trusted-proxies-v3 branch July 18, 2025 15:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Sensitive Sensitive change that requires peer review size/XXL
Projects
Development

Successfully merging this pull request may close these issues.

2 participants