From 89371149585c1c94d1420bd8ce190a6fcdadb59b Mon Sep 17 00:00:00 2001
From: Nick Muerdter <nick.muerdter@nrel.gov>
Date: Sun, 23 Apr 2017 14:26:21 -0600
Subject: [PATCH] Strip admin session cookie from being sent to API backends.

This could present a security risk if you're proxying to untrusted APIs
and admins accessed those APIs in their browser after logging into the
API Umbrella admin.
---
 src/api-umbrella/proxy/middleware/rewrite_request.lua | 11 +++++++----
 test/proxy/request_rewriting/test_cookie_stripping.rb | 11 +++++++++++
 2 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/src/api-umbrella/proxy/middleware/rewrite_request.lua b/src/api-umbrella/proxy/middleware/rewrite_request.lua
index ce0dad5c1..b652a61c8 100644
--- a/src/api-umbrella/proxy/middleware/rewrite_request.lua
+++ b/src/api-umbrella/proxy/middleware/rewrite_request.lua
@@ -133,12 +133,15 @@ local function set_http_basic_auth(settings)
   end
 end
 
-local function strip_cookies()
+local function strip_cookies(api)
   local cookie_header = ngx.var.http_cookie
   if not cookie_header then return end
 
-  local strips = config["strip_cookies"]
-  if not strips then return end
+  local strips = config["strip_cookies"] or {}
+  if api["_id"] ~= "api-umbrella-web-backend" then
+    table.insert(strips, "^_api_umbrella_session$")
+  end
+  if #strips == 0 then return end
 
   local cookies = split(cookie_header, "; *")
   local kept_cookies = {}
@@ -266,6 +269,6 @@ return function(user, api, settings)
   append_query_string(settings)
   set_headers(settings)
   set_http_basic_auth(settings)
-  strip_cookies()
+  strip_cookies(api)
   url_rewrites(api)
 end
diff --git a/test/proxy/request_rewriting/test_cookie_stripping.rb b/test/proxy/request_rewriting/test_cookie_stripping.rb
index c1b9156a8..28abe3489 100644
--- a/test/proxy/request_rewriting/test_cookie_stripping.rb
+++ b/test/proxy/request_rewriting/test_cookie_stripping.rb
@@ -63,4 +63,15 @@ def test_leaves_cookie_alone_without_analytics
     data = MultiJson.load(response.body)
     assert_equal("foo=bar; moo=boo", data["headers"]["cookie"])
   end
+
+  def test_strips_admin_session_cookie
+    response = Typhoeus.get("http://127.0.0.1:9080/api/info/", http_options.deep_merge({
+      :headers => {
+        "Cookie" => "foo1=bar1; _api_umbrella_session=foo; foo2=bar2",
+      },
+    }))
+    assert_response_code(200, response)
+    data = MultiJson.load(response.body)
+    assert_equal("foo1=bar1; foo2=bar2", data["headers"]["cookie"])
+  end
 end