Commita6fc28c

authored

chore: bring back x-auth-checks with a length limit (#19928)

1 parentadb7521 commita6fc28cCopy full SHA for a6fc28c

File tree

+15

-10

lines changed

+15

-10

lines changed

Lines changed: 1 addition & 9 deletions

Original file line number	Diff line number	Diff line change
`@@ -489,16 +489,8 @@ func New(options Options) API {`
`489`	`489`	`r:=chi.NewRouter()`
`490`	`490`	`// We add this middleware early, to make sure that authorization checks made`
`491`	`491`	`// by other middleware get recorded.`
`492`		`-//nolint:revive,staticcheck // This block will be re-enabled, not going to remove it`
`493`	`492`	`ifbuildinfo.IsDev() {`
`494`		`-// TODO: Find another solution to opt into these checks.`
`495`		-// If the header grows too large, it breaks `fetch()` requests.
`496`		`-// Temporarily disabling this until we can find a better solution.`
`497`		-// One idea is to include checking the request for `X-Authz-Record=true`
`498`		`-// header. To opt in on a per-request basis.`
`499`		`-// Some authz calls (like filtering lists) might be able to be`
`500`		`-// summarized better to condense the header payload.`
`501`		`-// r.Use(httpmw.RecordAuthzChecks)`
	`493`	`+r.Use(httpmw.RecordAuthzChecks)`
`502`	`494`	`}`
`503`	`495`
`504`	`496`	`ctx,cancel:=context.WithCancel(context.Background())`

Lines changed: 14 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -9,6 +9,14 @@ import (`
`9`	`9`	`"github.com/coder/coder/v2/coderd/rbac"`
`10`	`10`	`)`
`11`	`11`
	`12`	`+// The x-authz-checks header can end up being >10KB in size on certain queries.`
	`13`	`+// Many HTTP clients will fail if a header or the response head as a whole is`
	`14`	`+// too long to prevent malicious responses from consuming all of the client's`
	`15`	`+// memory. I've seen reports that browsers have this limit as low as 4KB for the`
	`16`	`+// entire response head, so we limit this header to a little less than 2KB,`
	`17`	`+// ensuring there's still plenty of room for the usual smaller headers.`
	`18`	`+constmaxHeaderLength=2000`
	`19`	`+`
`12`	`20`	`// This is defined separately in slim builds to avoid importing the rbac`
`13`	`21`	`// package, which is a large dependency.`
`14`	`22`	`funcSetAuthzCheckRecorderHeader(ctx context.Context,rw http.ResponseWriter) {`
`@@ -23,6 +31,11 @@ func SetAuthzCheckRecorderHeader(ctx context.Context, rw http.ResponseWriter) {`
`23`	`31`	`// configured on server startup for development and testing builds.`
`24`	`32`	`// - If this header is missing from a response, make sure the response is`
`25`	`33`	// being written by calling `httpapi.Write`!
`26`		`-rw.Header().Set("x-authz-checks",rec.String())`
	`34`	`+checks:=rec.String()`
	`35`	`+iflen(checks)>maxHeaderLength {`
	`36`	`+checks=checks[:maxHeaderLength]`
	`37`	`+checks+="<truncated>"`
	`38`	`+}`
	`39`	`+rw.Header().Set("x-authz-checks",checks)`
`27`	`40`	`}`
`28`	`41`	`}`

Comments

(0)