spring-cloud-gateway: ProxyExchange.sensitive does not remove headers as documented
I am using spring-cloud-gateway-webflux 2.0.2.RELEASE.
The header fields in sensitive are not removed from the incoming request before being passed to the downstream service. Instead the gateway is unable to add any headers included in sensitive. This is the opposite of the documented behavior, and might leave sensitive information exposed.
// The incoming request contains a header "foo: A"
ProxyExchange.DEFAULT_SENSITIVE.add("foo");
proxyExchange.header("foo", "B");
// The downstream service will receive the header "foo: A"
// The expected header would be "foo: B"
About this issue
- Original URL
- State: closed
- Created 6 years ago
- Comments: 29 (17 by maintainers)
Commits related to this issue
- Remove sensitive headers from request. Fixes #643 — committed to ryanjbaxter/spring-cloud-gateway by ryanjbaxter 6 years ago
- Updates webflux ProxyExchange to overwrite incomming headers rather than add to them. Added the test to mvc ProxyExchange and it currently exhibits this behavior already and the test passes. see gh-... — committed to spring-cloud/spring-cloud-gateway by spencergibb 6 years ago
- Remove sensitive headers from request. Fixes #643 — committed to spring-cloud/spring-cloud-gateway by ryanjbaxter 6 years ago
- Updates webflux ProxyExchange to overwrite incomming headers rather than add to them. Added the test to mvc ProxyExchange and it currently exhibits this behavior already and the test passes. see gh-... — committed to spring-cloud/spring-cloud-gateway by spencergibb 6 years ago
- caffeine cache for loadbalancer Fix gh 638 (#643) * Add Caffeine-based loadBalancerCacheManager. * Add more tests. * Fix test. * Only enable loadBalancer caching if caffeine is on classpath... — committed to Johnny850807/spring-cloud-gateway by OlgaMaciaszek 5 years ago
working on a PR