fix: Strip session_token cookie from app proxy requests (#3528)

Fixes coder/security#1.

coderd/httpapi/cookie.go

@@ -0,0 +1,31 @@
+package httpapi
+
+import (
+	"net/textproto"
+	"strings"
+
+	"github.com/coder/coder/codersdk"
+)
+
+// StripCoderCookies removes the session token from the cookie header provided.
+func StripCoderCookies(header string) string {
+	header = textproto.TrimString(header)
+	cookies := []string{}
+
+	var part string
+	for len(header) > 0 { // continue since we have rest
+		part, header, _ = strings.Cut(header, ";")
+		part = textproto.TrimString(part)
+		if part == "" {
+			continue
+		}
+		name, _, _ := strings.Cut(part, "=")
+		if name == codersdk.SessionTokenKey ||
+			name == codersdk.OAuth2StateKey ||
+			name == codersdk.OAuth2RedirectKey {
+			continue
+		}
+		cookies = append(cookies, part)
+	}
+	return strings.Join(cookies, "; ")
+}

coderd/httpapi/cookie_test.go

@@ -0,0 +1,35 @@
+package httpapi_test
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/coder/coder/coderd/httpapi"
+)
+
+func TestStripCoderCookies(t *testing.T) {
+	t.Parallel()
+	for _, tc := range []struct {
+		Input  string
+		Output string
+	}{{
+		"testing=hello; wow=test",
+		"testing=hello; wow=test",
+	}, {
+		"session_token=moo; wow=test",
+		"wow=test",
+	}, {
+		"another_token=wow; session_token=ok",
+		"another_token=wow",
+	}, {
+		"session_token=ok; oauth_state=wow; oauth_redirect=/",
+		"",
+	}} {
+		tc := tc
+		t.Run(tc.Input, func(t *testing.T) {
+			t.Parallel()
+			require.Equal(t, tc.Output, httpapi.StripCoderCookies(tc.Input))
+		})
+	}
+}