fix: Strip session_token cookie from app proxy requests (#3528)

Fixes coder/security#1.
2025-07-03 16:13:58 +00:00 · 2022-08-17 12:09:45 -05:00
parent 000e1a5ef2
commit c3f946737c
8 changed files with 94 additions and 16 deletions
--- a/coderd/httpapi/cookie_test.go
+++ b/coderd/httpapi/cookie_test.go
@ -0,0 +1,35 @@
+package httpapi_test
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/coder/coder/coderd/httpapi"
+)
+
+func TestStripCoderCookies(t *testing.T) {
+	t.Parallel()
+	for _, tc := range []struct {
+		Input  string
+		Output string
+	}{{
+		"testing=hello; wow=test",
+		"testing=hello; wow=test",
+	}, {
+		"session_token=moo; wow=test",
+		"wow=test",
+	}, {
+		"another_token=wow; session_token=ok",
+		"another_token=wow",
+	}, {
+		"session_token=ok; oauth_state=wow; oauth_redirect=/",
+		"",
+	}} {
+		tc := tc
+		t.Run(tc.Input, func(t *testing.T) {
+			t.Parallel()
+			require.Equal(t, tc.Output, httpapi.StripCoderCookies(tc.Input))
+		})
+	}
+}