-
Notifications
You must be signed in to change notification settings - Fork 67
fix: Secure x-forwarded-* headers from untrusted proxies #4171
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
5978bd6
to
847c15f
Compare
e6377d7
to
d118c96
Compare
Signed-off-by: Richard Salac <[email protected]>
d118c96
to
9fcb475
Compare
arxioly
reviewed
Jul 15, 2025
gateway-service/src/main/java/org/zowe/apiml/gateway/config/ConnectionsConfig.java
Show resolved
Hide resolved
.../java/org/zowe/apiml/gateway/filters/proxyheaders/AdditionalRegistrationGatewayRegistry.java
Outdated
Show resolved
Hide resolved
.../java/org/zowe/apiml/gateway/filters/proxyheaders/X509AndGwAwareXForwardedHeadersFilter.java
Outdated
Show resolved
Hide resolved
...c/test/java/org/zowe/apiml/gateway/acceptance/xForwardHeaders/MutateRemoteAddressFilter.java
Outdated
Show resolved
Hide resolved
integration-tests/src/test/java/org/zowe/apiml/integration/proxy/XForwardHeadersProxyTest.java
Outdated
Show resolved
Hide resolved
integration-tests/src/test/java/org/zowe/apiml/integration/proxy/XForwardHeadersProxyTest.java
Outdated
Show resolved
Hide resolved
integration-tests/src/test/java/org/zowe/apiml/integration/proxy/XForwardHeadersProxyTest.java
Show resolved
Hide resolved
integration-tests/src/test/java/org/zowe/apiml/integration/proxy/XForwardHeadersProxyTest.java
Outdated
Show resolved
Hide resolved
integration-tests/src/test/java/org/zowe/apiml/util/config/ConfigReader.java
Outdated
Show resolved
Hide resolved
…roxyheaders/AdditionalRegistrationGatewayRegistry.java Co-authored-by: Elena Kubantseva <[email protected]> Signed-off-by: Richard Salač <[email protected]>
…xy/XForwardHeadersProxyTest.java Co-authored-by: Elena Kubantseva <[email protected]> Signed-off-by: Richard Salač <[email protected]>
…e/xForwardHeaders/MutateRemoteAddressFilter.java Co-authored-by: Elena Kubantseva <[email protected]> Signed-off-by: Richard Salač <[email protected]>
…xy/XForwardHeadersProxyTest.java Co-authored-by: Elena Kubantseva <[email protected]> Signed-off-by: Richard Salač <[email protected]>
Co-authored-by: Elena Kubantseva <[email protected]> Signed-off-by: Richard Salač <[email protected]>
…roxyheaders/AdditionalRegistrationGatewayRegistryTest.java Co-authored-by: Elena Kubantseva <[email protected]> Signed-off-by: Richard Salač <[email protected]>
…roxyheaders/AdditionalRegistrationGatewayRegistryTest.java Co-authored-by: Elena Kubantseva <[email protected]> Signed-off-by: Richard Salač <[email protected]>
…roxyheaders/AdditionalRegistrationGatewayRegistryTest.java Co-authored-by: Elena Kubantseva <[email protected]> Signed-off-by: Richard Salač <[email protected]>
…xy/XForwardHeadersProxyTest.java Co-authored-by: Elena Kubantseva <[email protected]> Signed-off-by: Richard Salač <[email protected]>
Signed-off-by: Richard Salac <[email protected]> Signed-off-by: Richard Salač <[email protected]>
Signed-off-by: Richard Salac <[email protected]>
Signed-off-by: Richard Salac <[email protected]>
Signed-off-by: Richard Salac <[email protected]>
dee4354
to
6a9469b
Compare
Signed-off-by: Richard Salac <[email protected]> refactor it Signed-off-by: Richard Salac <[email protected]>
a8a47c5
to
385ce08
Compare
richard-salac
commented
Jul 18, 2025
gateway-service/src/main/java/org/zowe/apiml/gateway/config/HttpsFactoryConfig.java
Outdated
Show resolved
Hide resolved
arxioly
approved these changes
Jul 18, 2025
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Other then order of the services in integration-tests.yml
🤓 LGTM
Signed-off-by: Richard Salac <[email protected]>
0e5fc37
to
8575d84
Compare
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Enable forwarding of X-Forwarded... headers from trusted proxies only, mitigates CVE-2025-41235. The pattern to identify trusted proxies can be set via
apiml.security.forwardHeader.trustedProxies
property. If the request is signed by the Zowe certificate, it is trusted even of the property is not set.If the headers are received from an untrusted source, they are removed from the request and apiml creates new ones.
cherry-pick from v2: #4148 and #4188
In addition to the cherry-pick, the
gateway-service/src/main/java/org/zowe/apiml/gateway/config/ConnectionsConfig.java
had to be refactored and the https factory configuration was moved into the newgateway-service/src/main/java/org/zowe/apiml/gateway/config/HttpsFactoryConfig.java
class. Some tests could not be initialized because of the change in bean order initialization. The original design used@PostConstruct
to initialize the https configuration into a private field which was not guaranteed to happen when mocking the class for tests. The https configuration is now injected as a bean instead. Besides that, the modification better respects the separation of concerns principle and prefers the dependency injection over setting private fields via reflection.Linked to # (issue)
Part of the # (epic)
Type of change
Please delete options that are not relevant.
Checklist:
For more details about how should the code look like read the Contributing guideline