Skip to content

fix: Secure x-forwarded-* headers from untrusted proxies but trust all apiml proxies (v2) #4188

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 14 commits into from
Jul 11, 2025
Merged

fix: Secure x-forwarded-* headers from untrusted proxies but trust all apiml proxies (v2) #4188

merged 14 commits into from
Jul 11, 2025

Conversation

richard-salac
Copy link
Contributor

@richard-salac richard-salac commented Jun 27, 2025
edited
Loading

Description

This is a follow-up to issue #4148. In that issue, a new configuration option was added to define a pattern for validating whether requests with x-forwarded-* headers originate from trusted proxy servers. These headers are only processed if the source is deemed trustworthy and the headers are considered safe.

While this security issue was addressed, the new configuration option must now also be set for APIML gateways to ensure that x-forwarded-* headers are trusted. This configuration is only necessary in scenarios where requests traverse multiple gateways — a common pattern in hybrid deployments such as multi-sysplex environments or setups involving both z/OS and Kubernetes. In such cases, multiple APIML domain installations are interconnected through central gateways. Although such deployments are relatively rare, they are typically more complex — and we want to avoid introducing additional complexity.

To support this, APIML domains can be onboarded to the central gateway through additional gw registrations (and vice versa). We utilize these registrations to fetch APIML gateways information from remote discovery services. Based on this data, we dynamically update the list of trusted proxies so that APIML proxies are consistently treated as trusted.

Non-APIML gateways still must be configured to be trusted.

Linked to # (4148)
Part of the # (epic)

Type of change

Please delete options that are not relevant.

  • fix: Bug fix (non-breaking change which fixes an issue)
  • feat: New feature (non-breaking change which adds functionality)
  • docs: Change in a documentation
  • refactor: Refactor the code
  • chore: Chore, repository cleanup, updates the dependencies.
  • BREAKING CHANGE or !: Breaking change (fix or feature that would cause existing functionality to not work as expected)

Checklist:

  • My code follows the style guidelines of this project
  • PR title conforms to commit message guideline ## Commit Message Structure Guideline
  • I have commented my code, particularly in hard-to-understand areas. In JS I did provide JSDoc
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes
  • The java tests in the area I was working on leverage @nested annotations
  • Any dependent changes have been merged and published in downstream modules

For more details about how should the code look like read the Contributing guideline

pj892031 and others added 5 commits June 18, 2025 15:57
@pj892031
draft / poc
538f1ed 
Signed-off-by: Pavel Jareš <[email protected]>
@richard-salac
gw discovery
983f26b 
Signed-off-by: Richard Salac <[email protected]>
@richard-salac
improve tests
e642fe1 
Signed-off-by: Richard Salac <[email protected]>
@richard-salac
update cgw
ebc023f 
Signed-off-by: Richard Salac <[email protected]>
@richard-salac
it
c3005d1 
Signed-off-by: Richard Salac <[email protected]>
@richard-salac
cleanup
a48fdf0 
Signed-off-by: Richard Salac <[email protected]>
@richard-salac richard-salac force-pushed the reboot/fetching-trusted-ip-address branch 11 times, most recently from 35a21ce to 25754b4 Compare June 29, 2025 14:21
@richard-salac
tests and cleanup
e93a280 
Signed-off-by: Richard Salac <[email protected]>
@richard-salac richard-salac force-pushed the reboot/fetching-trusted-ip-address branch 2 times, most recently from b4341a2 to 792751d Compare June 29, 2025 15:03
arxioly
arxioly reviewed Jul 1, 2025
View reviewed changes
...org/zowe/apiml/cloudgatewayservice/acceptance/xForwardHeaders/MutateRemoteAddressFilter.java
@Value("${test.proxyAddress}")
public String proxyAddress;
public AtomicReference<String> proxyAddressReference;
private String originalProxyAddressProperty;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could it be final?

Suggested change
private String originalProxyAddressProperty;
private final String originalProxyAddressProperty;

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

@richard-salac richard-salac force-pushed the reboot/fetching-trusted-ip-address branch 3 times, most recently from af55fdf to 9479cbe Compare July 1, 2025 15:16
@richard-salac richard-salac force-pushed the reboot/fetching-trusted-ip-address branch 3 times, most recently from 28e92fd to 8a9c225 Compare July 2, 2025 09:40
@balhar-jakub balhar-jakub moved this from New to In Progress in API Mediation Layer Backlog Management Jul 2, 2025
@richard-salac richard-salac force-pushed the reboot/fetching-trusted-ip-address branch from 8a9c225 to 16010f2 Compare July 2, 2025 13:34
@richard-salac richard-salac force-pushed the reboot/fetching-trusted-ip-address branch 4 times, most recently from c52ab9a to 05945b9 Compare July 2, 2025 14:43
@richard-salac richard-salac force-pushed the reboot/fetching-trusted-ip-address branch from 05945b9 to 2b052c4 Compare July 2, 2025 15:41
@richard-salac
code review
c280c02 
Signed-off-by: Richard Salac <[email protected]>
@richard-salac richard-salac force-pushed the reboot/fetching-trusted-ip-address branch from d371b5a to c280c02 Compare July 2, 2025 17:37
@richard-salac richard-salac changed the title DRAFT: fix: Secure x-forwarded-* headers from untrusted proxies but trust all apiml proxies (v2) fix: Secure x-forwarded-* headers from untrusted proxies but trust all apiml proxies (v2) Jul 2, 2025
@richard-salac richard-salac mentioned this pull request Jul 8, 2025
Merged
15 tasks
@richard-salac richard-salac force-pushed the reboot/fetching-trusted-ip-address branch from 8dae36a to c0799b1 Compare July 9, 2025 08:41
arxioly
arxioly approved these changes Jul 9, 2025
View reviewed changes
Copy link
Contributor

@arxioly arxioly left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks!

@richard-salac richard-salac force-pushed the reboot/fetching-trusted-ip-address branch from 09f4f6a to dba7ae3 Compare July 10, 2025 07:32
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
19 New issues
0 Accepted issues

Measures
0 Security Hotspots
91.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@richard-salac richard-salac merged commit d9dfd17 into v2.x.x Jul 11, 2025
83 checks passed
@richard-salac richard-salac deleted the reboot/fetching-trusted-ip-address branch July 11, 2025 10:32
@richard-salac richard-salac mentioned this pull request Jul 14, 2025
Merged
15 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@arxioly arxioly arxioly approved these changes

Assignees
No one assigned
Labels
size/XXL
Projects
API Mediation Layer Backlog Management
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@richard-salac @arxioly @pj892031