From 80f12290f87d523b9cd01f0164009936fc609865 Mon Sep 17 00:00:00 2001
From: Evgeni Golov <evgeni@golov.de>
Date: Thu, 15 Aug 2024 11:39:48 +0200
Subject: [PATCH] Unset all possible dash/underscore combinations of
 REMOTE_USER

While the backend will always see underscores, as dashes are not
permitted in environment variables that are used to pass these along,
the frontend should always filter all possible notations, as otherwise
an attacker could set the "REMOTE-USER" header which gets passed as
"REMOTE_USER" unfiltered.

Do the same for REMOTE_USER_* to avoid sneaking in groups that the
user does not belong to and other user preferences.
This however is only a theoretical attack vector once you can't
spoof the REMOTE_USER variable anymore.
---
 manifests/config/apache.pp                 | 13 +++++++++++
 spec/classes/foreman_config_apache_spec.rb | 26 ++++++++++++++++++++++
 2 files changed, 39 insertions(+)

diff --git a/manifests/config/apache.pp b/manifests/config/apache.pp
index 56f5059bc..8b6a861db 100644
--- a/manifests/config/apache.pp
+++ b/manifests/config/apache.pp
@@ -119,10 +119,23 @@
   String[1] $keycloak_app_name = 'foreman-openidc',
   String[1] $keycloak_realm = 'ssl-realm',
   Array[String[1]] $request_headers_to_unset = [
+    'REMOTE-USER',
     'REMOTE_USER',
+    'REMOTE-USER-EMAIL',
+    'REMOTE-USER_EMAIL',
+    'REMOTE_USER-EMAIL',
     'REMOTE_USER_EMAIL',
+    'REMOTE-USER-FIRSTNAME',
+    'REMOTE-USER_FIRSTNAME',
+    'REMOTE_USER-FIRSTNAME',
     'REMOTE_USER_FIRSTNAME',
+    'REMOTE-USER-LASTNAME',
+    'REMOTE-USER_LASTNAME',
+    'REMOTE_USER-LASTNAME',
     'REMOTE_USER_LASTNAME',
+    'REMOTE-USER-GROUPS',
+    'REMOTE-USER_GROUPS',
+    'REMOTE_USER-GROUPS',
     'REMOTE_USER_GROUPS',
   ],
 ) {
diff --git a/spec/classes/foreman_config_apache_spec.rb b/spec/classes/foreman_config_apache_spec.rb
index 0131b4396..de5bd7fa2 100644
--- a/spec/classes/foreman_config_apache_spec.rb
+++ b/spec/classes/foreman_config_apache_spec.rb
@@ -56,10 +56,23 @@
             'set SSL_CLIENT_S_DN ""',
             'set SSL_CLIENT_CERT ""',
             'set SSL_CLIENT_VERIFY ""',
+            'unset REMOTE-USER',
             'unset REMOTE_USER',
+            'unset REMOTE-USER-EMAIL',
+            'unset REMOTE-USER_EMAIL',
+            'unset REMOTE_USER-EMAIL',
             'unset REMOTE_USER_EMAIL',
+            'unset REMOTE-USER-FIRSTNAME',
+            'unset REMOTE-USER_FIRSTNAME',
+            'unset REMOTE_USER-FIRSTNAME',
             'unset REMOTE_USER_FIRSTNAME',
+            'unset REMOTE-USER-LASTNAME',
+            'unset REMOTE-USER_LASTNAME',
+            'unset REMOTE_USER-LASTNAME',
             'unset REMOTE_USER_LASTNAME',
+            'unset REMOTE-USER-GROUPS',
+            'unset REMOTE-USER_GROUPS',
+            'unset REMOTE_USER-GROUPS',
             'unset REMOTE_USER_GROUPS'
           ])
           .with_proxy_pass(
@@ -192,10 +205,23 @@ class { 'apache':
               'set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"',
               'set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"',
               'set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"',
+              'unset REMOTE-USER',
               'unset REMOTE_USER',
+              'unset REMOTE-USER-EMAIL',
+              'unset REMOTE-USER_EMAIL',
+              'unset REMOTE_USER-EMAIL',
               'unset REMOTE_USER_EMAIL',
+              'unset REMOTE-USER-FIRSTNAME',
+              'unset REMOTE-USER_FIRSTNAME',
+              'unset REMOTE_USER-FIRSTNAME',
               'unset REMOTE_USER_FIRSTNAME',
+              'unset REMOTE-USER-LASTNAME',
+              'unset REMOTE-USER_LASTNAME',
+              'unset REMOTE_USER-LASTNAME',
               'unset REMOTE_USER_LASTNAME',
+              'unset REMOTE-USER-GROUPS',
+              'unset REMOTE-USER_GROUPS',
+              'unset REMOTE_USER-GROUPS',
               'unset REMOTE_USER_GROUPS'
             ])
             .with_ssl_proxyengine(true)