branden
commented
3 years ago This PR creates a security problem, because Traefik will copy an incoming request's X-Replaced-Path header to the forwarded request. This means a user could forge such a header in order to trick Traefik Forward Auth into allowing a request that it should not. I'll leave this PR as a draft until this is fixed in Traefik.
Adapted from https://github.com/thomseddon/traefik-forward-auth/pull/49.
This causes Traefik Forward Auth to use the value of the
X-Replaced-Pathheader as the request path when evaluating whether a request is allowed. Traefik sets this header when it alters a request path usingReplacePathRegex, see https://doc.traefik.io/traefik/v2.0/middlewares/replacepathregex/. Without this change, Traefik Forward Auth will use the rewritten request path. If rules are defined with the expectation that they apply to requests before they are rewritten, this can lead to unexpected authorization errors.https://jira.d2iq.com/browse/D2IQ-71985