synced/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2025-07-15 22:20:27 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: Strip session_token cookie from app proxy requests (#3528)

Browse Source 
Fixes coder/security#1.
This commit is contained in:
Kyle Carberry
2022-08-17 12:09:45 -05:00
committed by GitHub
parent 000e1a5ef2
commit c3f946737c
8 changed files with 94 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
coderd/workspaceapps.go
View File

@ -170,6 +170,12 @@ func (api *API) workspaceAppsProxyPath(rw http.ResponseWriter, r *http.Request)
}
defer release()
// This strips the session token from a workspace app request.
cookieHeaders := r.Header.Values("Cookie")[:]
r.Header.Del("Cookie")
for _, cookieHeader := range cookieHeaders {
r.Header.Add("Cookie", httpapi.StripCoderCookies(cookieHeader))
}
proxy.Transport = conn.HTTPTransport()
proxy.ServeHTTP(rw, r)
}