Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: disallow multiple auth headers #3607

Merged
merged 1 commit into from
Nov 14, 2023
Merged

fix: disallow multiple auth headers #3607

merged 1 commit into from
Nov 14, 2023

Conversation

paullatzelsperger
Copy link
Member

@paullatzelsperger paullatzelsperger commented Nov 14, 2023
edited
Loading

What this PR changes/adds

This PR disallows the use of multiple x-api-key headers to avoid Header Duplication Exploitation.

Why it does that

I honestly don't know why issuing 100 billion requests is harder than 1 billion requests with 100 headers each, but a
security report has been filed.

Further notes

.

Linked Issue(s)

Closes https://github.com/eclipse-tractusx/tractusx-edc/security/advisories/GHSA-wqpq-r4w2-5q5x

Please be sure to take a look at the contributing guidelines and our etiquette for pull requests.

@paullatzelsperger paullatzelsperger added this to the Milestone 12 milestone Nov 14, 2023
@paullatzelsperger paullatzelsperger added api Feature related to the (REST) api bug Something isn't working labels Nov 14, 2023
@codecov-commenter
Copy link

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (a62205b) 72.10% compared to head (afedeed) 72.06%.
Report is 2 commits behind head on main.

❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #3607      +/-   ##
==========================================
- Coverage   72.10%   72.06%   -0.04%     
==========================================
  Files         897      898       +1     
  Lines       17919    17973      +54     
  Branches     1018     1022       +4     
==========================================
+ Hits        12920    12952      +32     
- Misses       4562     4580      +18     
- Partials      437      441       +4

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@paullatzelsperger paullatzelsperger merged commit c27c299 into eclipse-edc:main Nov 14, 2023
23 of 24 checks passed
tuncaytunc-zf pushed a commit to tuncaytunc-zf/DataSpaceConnector that referenced this pull request Nov 15, 2023
@paullatzelsperger
fix: disallow multiple auth headers (eclipse-edc#3607)
80cf950
@wolf4ood wolf4ood mentioned this pull request Feb 14, 2024
Merged
@augustocmleal augustocmleal mentioned this pull request Mar 28, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jimmarino jimmarino jimmarino approved these changes

@wolf4ood wolf4ood wolf4ood approved these changes

Assignees
No one assigned
Labels
api Feature related to the (REST) api bug Something isn't working
Projects
None yet
Milestone
Milestone 12
Development

Successfully merging this pull request may close these issues.
4 participants
@paullatzelsperger @codecov-commenter @wolf4ood @jimmarino