Merge pull request #1663 from 18F/margolis-correct-host

Filter headers via Middleware
18F · Sep 8, 2017 · 073261f · 073261f
2 parents e973ca9 + ea4f619
commit 073261f
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 0 deletions.
diff --git a/Gemfile b/Gemfile
@@ -31,6 +31,7 @@ gem 'phony_rails'
 gem 'premailer-rails'
 gem 'proofer', github: '18F/identity-proofer-gem', branch: 'master'
 gem 'rack-cors', require: 'rack/cors'
+gem 'rack-headers_filter'
 gem 'rack-timeout'
 gem 'readthis'
 gem 'redis-session-store', github: '18F/redis-session-store', branch: 'master'

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -415,6 +415,7 @@ GEM
     rack-attack (5.0.1)
       rack
     rack-cors (0.4.1)
+    rack-headers_filter (0.0.1)
     rack-mini-profiler (0.10.5)
       rack (>= 1.2.0)
     rack-protection (2.0.0)
@@ -714,6 +715,7 @@ DEPENDENCIES
   proofer!
   pry-byebug
   rack-cors
+  rack-headers_filter
   rack-mini-profiler
   rack-test
   rack-timeout

diff --git a/config/application.rb b/config/application.rb
@@ -33,6 +33,8 @@ class Application < Rails::Application
       event.payload.except(:params, :headers)
     end
 
+    config.middleware.insert_before 0, Rack::HeadersFilter
+
     config.middleware.insert_before 0, Rack::Cors do
       allow do
         origins '*'

diff --git a/spec/requests/headers_spec.rb b/spec/requests/headers_spec.rb
@@ -0,0 +1,9 @@
+require 'rails_helper'
+
+RSpec.describe 'Headers' do
+  it 'does not reflect header host values' do
+    get root_path, headers: { 'X-Forwarded-Host' => 'evil.com' }
+
+    expect(response.body).to_not include('evil.com')
+  end
+end