Strip admin session cookie from being sent to API backends.

This could present a security risk if you're proxying to untrusted APIs
and admins accessed those APIs in their browser after logging into the
API Umbrella admin.

src/api-umbrella/proxy/middleware/rewrite_request.lua

@@ -133,12 +133,15 @@ local function set_http_basic_auth(settings)
   end
 end
 
-local function strip_cookies()
+local function strip_cookies(api)
   local cookie_header = ngx.var.http_cookie
   if not cookie_header then return end
 
-  local strips = config["strip_cookies"]
-  if not strips then return end
+  local strips = config["strip_cookies"] or {}
+  if api["_id"] ~= "api-umbrella-web-backend" then
+    table.insert(strips, "^_api_umbrella_session$")
+  end
+  if #strips == 0 then return end
 
   local cookies = split(cookie_header, "; *")
   local kept_cookies = {}
@@ -266,6 +269,6 @@ return function(user, api, settings)
   append_query_string(settings)
   set_headers(settings)
   set_http_basic_auth(settings)
-  strip_cookies()
+  strip_cookies(api)
   url_rewrites(api)
 end

test/proxy/request_rewriting/test_cookie_stripping.rb

@@ -63,4 +63,15 @@ def test_leaves_cookie_alone_without_analytics
     data = MultiJson.load(response.body)
     assert_equal("foo=bar; moo=boo", data["headers"]["cookie"])
   end
+
+  def test_strips_admin_session_cookie
+    response = Typhoeus.get("http://127.0.0.1:9080/api/info/", http_options.deep_merge({
+      :headers => {
+        "Cookie" => "foo1=bar1; _api_umbrella_session=foo; foo2=bar2",
+      },
+    }))
+    assert_response_code(200, response)
+    data = MultiJson.load(response.body)
+    assert_equal("foo1=bar1; foo2=bar2", data["headers"]["cookie"])
+  end
 end