- Notifications
You must be signed in to change notification settings - Fork1k
chore: bring back x-auth-checks with a length limit#19928
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Uh oh!
There was an error while loading.Please reload this page.
Conversation
| checks=checks[:maxHeaderLength] | ||
| checks+="<truncated>" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Nit: Won't this result in a header that is 2011 bytes long, sincemaxHeaderLength +len("<truncated>")
| checks=checks[:maxHeaderLength] | |
| checks+="<truncated>" | |
| truncationMarker="<truncated>" | |
| checks=checks[:(maxHeaderLength-len(truncationMarker))] | |
| checks+=truncationMarker |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
I thought about that, but figured it wouldn't hurt to let it be a tiny bit longer 😄
a6fc28c intomainUh oh!
There was an error while loading.Please reload this page.
| // This is defined separately in slim builds to avoid importing the rbac | ||
| // package, which is a large dependency. | ||
| funcSetAuthzCheckRecorderHeader(ctx context.Context,rw http.ResponseWriter) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
We could technically find the size of the other headers to, and check how large they are. Then make sure they never exceed 4kb
We disabled it before because the header could get too long and cause problems. I've re-enabled it with a maximum length and a comment describing why the length matters. Any results that are truncated will be marked as such. It's not a perfect solution, but this is a useful debugging tool that I want to bring back.