asf-tooling opened a new issue, #1108: URL: https://github.com/apache/tooling-trusted-releases/issues/1108
**ASVS Level(s):** L2 **Description:** ### Summary Neither the staging nor the dev vhost includes directives to sanitize `X-Forwarded-Host` or `X-Forwarded-Server` headers. This allows end-users to inject arbitrary values for these headers, which could potentially influence host-based logic if the middleware or application code processes them. Currently low impact due to middleware not processing this header, but represents a defense-in-depth gap. ### Details The Apache configuration in `tooling-vm-ec2-de.apache.org.yaml` does not unset `X-Forwarded-Host` or `X-Forwarded-Server` headers. If middleware is changed or updated to process `X-Forwarded-Host`, the OAuth callback URL generation in `asfquart/generics.py` (lines 39-43) and the URL validation in `atr/web.py` (line 230 and lines 100-105) could be affected. POC: `curl -k -H "X-Forwarded-Host: evil.example.com" https://release-test.apache.org/auth?login` ### Recommended Remediation Add `RequestHeader unset X-Forwarded-Host` and `RequestHeader unset X-Forwarded-Server` to BOTH vhosts in `tooling-vm-ec2-de.apache.org.yaml`, before the ProxyPass directives. ### Acceptance Criteria - [ ] Both vhosts unset X-Forwarded-Host header - [ ] Both vhosts unset X-Forwarded-Server header - [ ] Integration test verifying headers are not passed through - [ ] Unit test verifying the fix ### References - Source reports: L2:4.1.3.md - Related findings: FINDING-117 - ASVS sections: 4.1.3 ### Priority Low --- -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
