From eca2ef20d093421dc5729792b66d77e7a9c7ffc1 Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Mon, 20 Dec 2021 22:21:53 +0100 Subject: [PATCH] outposts/proxy: add initial redirect-loop prevention Signed-off-by: Jens Langhammer --- .../outpost/proxyv2/application/mode_forward.go | 14 ++++++++++++++ internal/outpost/proxyv2/constants/constants.go | 1 + 2 files changed, 15 insertions(+) diff --git a/internal/outpost/proxyv2/application/mode_forward.go b/internal/outpost/proxyv2/application/mode_forward.go index 889e115c2..e5772a192 100644 --- a/internal/outpost/proxyv2/application/mode_forward.go +++ b/internal/outpost/proxyv2/application/mode_forward.go @@ -54,10 +54,24 @@ func (a *Application) forwardHandleTraefik(rw http.ResponseWriter, r *http.Reque r.Header.Get("X-Forwarded-Host"), r.Header.Get("X-Forwarded-Uri"), ) + if r.Header.Get("X-Forwarded-Uri") == "/akprox/start" { + a.log.Info("Detected potential redirect loop") + if val, ok := s.Values[constants.SessionLoopDetection]; !ok { + s.Values[constants.SessionLoopDetection] = 1 + } else { + s.Values[constants.SessionLoopDetection] = val.(int) + 1 + if val.(int) > 10 { + a.log.Error("Stopped redirect loop") + rw.WriteHeader(http.StatusBadRequest) + return + } + } + } err = s.Save(r, rw) if err != nil { a.log.WithError(err).Warning("failed to save session before redirect") } + proto := r.Header.Get("X-Forwarded-Proto") if proto != "" { proto = proto + ":" diff --git a/internal/outpost/proxyv2/constants/constants.go b/internal/outpost/proxyv2/constants/constants.go index 3160f42bd..bb7d790da 100644 --- a/internal/outpost/proxyv2/constants/constants.go +++ b/internal/outpost/proxyv2/constants/constants.go @@ -6,3 +6,4 @@ const SessionOAuthState = "oauth_state" const SessionClaims = "claims" const SessionRedirect = "redirect" +const SessionLoopDetection = "loop_detection"