fix: do not modify original headers

ory · Jul 19, 2021 · 1f6c430 · 1f6c430
1 parent 390abe3
commit 1f6c430
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 3 deletions.
diff --git a/pipeline/authn/authenticator_bearer_token_test.go b/pipeline/authn/authenticator_bearer_token_test.go
@@ -7,6 +7,7 @@ import (
 	"io/ioutil"
 	"net/http"
 	"net/url"
+	"reflect"
 	"testing"
 
 	"github.com/tidwall/sjson"
@@ -204,7 +205,6 @@ func TestAuthenticatorBearerToken(t *testing.T) {
 			},
 		} {
 			t.Run(fmt.Sprintf("case=%d/description=%s", k, tc.d), func(t *testing.T) {
-
 				var ts *httptest.Server
 				if tc.router != nil {
 					ts = httptest.NewServer(http.HandlerFunc(tc.router))
@@ -219,6 +219,11 @@ func TestAuthenticatorBearerToken(t *testing.T) {
 
 				tc.config, _ = sjson.SetBytes(tc.config, "check_session_url", ts.URL)
 				sess := new(AuthenticationSession)
+				originalHeaders := http.Header{}
+				for k, v := range tc.r.Header {
+					originalHeaders[k] = v
+				}
+
 				err := pipelineAuthenticator.Authenticate(tc.r, sess, tc.config, nil)
 				if tc.expectErr {
 					require.Error(t, err)
@@ -229,6 +234,8 @@ func TestAuthenticatorBearerToken(t *testing.T) {
 					require.NoError(t, err)
 				}
 
+				require.True(t, reflect.DeepEqual(tc.r.Header, originalHeaders))
+
 				if tc.expectSess != nil {
 					assert.Equal(t, tc.expectSess, sess)
 				}

diff --git a/pipeline/authn/authenticator_cookie_session.go b/pipeline/authn/authenticator_cookie_session.go
@@ -140,7 +140,12 @@ func forwardRequestToSessionStore(r *http.Request, checkSessionURL string, prese
 	req := http.Request{
 		Method: r.Method,
 		URL:    reqUrl,
-		Header: r.Header,
+		Header: http.Header{},
+	}
+
+	// We need to make a COPY of the header, not modify r.Header!
+	for k, v := range r.Header {
+		req.Header[k] = v
 	}
 
 	for k, v := range setHeaders {

diff --git a/pipeline/authn/authenticator_cookie_session_test.go b/pipeline/authn/authenticator_cookie_session_test.go
@@ -105,6 +105,7 @@ func TestAuthenticatorCookieSession(t *testing.T) {
 			r := requestRecorder.requests[0]
 			assert.Equal(t, r.Method, "PUT")
 			assert.Equal(t, expectedHost, r.Header.Get("X-Forwarded-Host"))
+			assert.Empty(t, req.Header.Get("X-Forwarded-Host"), "The original header must NOT be modified")
 			assert.Equal(t, r.Header.Get("Cookie"), "sessionid=zyx")
 			assert.Equal(t, &AuthenticationSession{Subject: "123"}, session)
 		})
@@ -125,7 +126,9 @@ func TestAuthenticatorCookieSession(t *testing.T) {
 			r := requestRecorder.requests[0]
 			assert.Equal(t, r.Method, "PUT")
 			assert.Equal(t, expectedHost, r.Header.Get("X-Forwarded-Host"))
-			assert.Equal(t, "bar", r.Header.Get("X-Foo"), "%+v", r.Header)
+			assert.Equal(t, "bar", r.Header.Get("X-Foo"))
+			assert.Empty(t, req.Header.Get("X-Forwarded-Host"), "The original header must NOT be modified")
+			assert.Empty(t, req.Header.Get("X-Foo"), "The original header must NOT be modified")
 			assert.Equal(t, r.Header.Get("Cookie"), "sessionid=zyx")
 			assert.Equal(t, &AuthenticationSession{Subject: "123"}, session)
 		})