fix(cloud-function): strip X-Forwarded-Host + Forwarded headers (#8894)

`http-proxy` with `xfwd: true` only sets x-forwarded-{for,port,proto}, so the `X-Forwarded-Host` header stays in place, causing side-effects. To be on the safe side, we also remove the `Forwarded` header, because it may contain `host` directive, even though we don't currently use it. Co-authored-by: Leo McArdle <[email protected]>
mdn · May 19, 2023 · 74bab35 · 74bab35
1 parent 2c81bf5
commit 74bab35
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 0 deletions.
diff --git a/cloud-function/src/app.ts b/cloud-function/src/app.ts
@@ -17,8 +17,10 @@ import { redirectLocale } from "./middlewares/redirect-locale.js";
 import { redirectTrailingSlash } from "./middlewares/redirect-trailing-slash.js";
 import { requireOrigin } from "./middlewares/require-origin.js";
 import { notFound } from "./middlewares/not-found.js";
+import { stripForwardedHostHeaders } from "./middlewares/stripForwardedHostHeaders.js";
 
 const router = Router();
+router.use(stripForwardedHostHeaders);
 router.use(redirectLeadingSlash);
 router.all(
   "/api/v1/stripe/plans",

diff --git a/cloud-function/src/middlewares/stripForwardedHostHeaders.ts b/cloud-function/src/middlewares/stripForwardedHostHeaders.ts
@@ -0,0 +1,15 @@
+import { NextFunction, Request, Response } from "express";
+
+// Don't strip other `X-Forwarded-*` headers.
+const HEADER_REGEXP = /^(x-forwarded-host|forwarded)$/i;
+
+export async function stripForwardedHostHeaders(
+  req: Request,
+  _res: Response,
+  next: NextFunction
+) {
+  Object.keys(req.headers)
+    .filter((name) => HEADER_REGEXP.test(name))
+    .forEach((name) => delete req.headers[name]);
+  next();
+}