Unset all possible dash/underscore combinations of REMOTE_USER

While the backend will always see underscores, as dashes are not permitted in environment variables that are used to pass these along, the frontend should always filter all possible notations, as otherwise an attacker could set the "REMOTE-USER" header which gets passed as "REMOTE_USER" unfiltered. Do the same for REMOTE_USER_* to avoid sneaking in groups that the user does not belong to and other user preferences. This however is only a theoretical attack vector once you can't spoof the REMOTE_USER variable anymore. (cherry picked from commit 80f1229)
theforeman · Sep 4, 2024 · 5f988fa · 5f988fa
1 parent 9cbfb1c
commit 5f988fa
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 0 deletions.
diff --git a/manifests/config/apache.pp b/manifests/config/apache.pp
@@ -119,10 +119,23 @@
   String[1] $keycloak_app_name = 'foreman-openidc',
   String[1] $keycloak_realm = 'ssl-realm',
   Array[String[1]] $request_headers_to_unset = [
+    'REMOTE-USER',
     'REMOTE_USER',
+    'REMOTE-USER-EMAIL',
+    'REMOTE-USER_EMAIL',
+    'REMOTE_USER-EMAIL',
     'REMOTE_USER_EMAIL',
+    'REMOTE-USER-FIRSTNAME',
+    'REMOTE-USER_FIRSTNAME',
+    'REMOTE_USER-FIRSTNAME',
     'REMOTE_USER_FIRSTNAME',
+    'REMOTE-USER-LASTNAME',
+    'REMOTE-USER_LASTNAME',
+    'REMOTE_USER-LASTNAME',
     'REMOTE_USER_LASTNAME',
+    'REMOTE-USER-GROUPS',
+    'REMOTE-USER_GROUPS',
+    'REMOTE_USER-GROUPS',
     'REMOTE_USER_GROUPS',
   ],
 ) {

diff --git a/spec/classes/foreman_config_apache_spec.rb b/spec/classes/foreman_config_apache_spec.rb
@@ -56,10 +56,23 @@
             'set SSL_CLIENT_S_DN ""',
             'set SSL_CLIENT_CERT ""',
             'set SSL_CLIENT_VERIFY ""',
+            'unset REMOTE-USER',
             'unset REMOTE_USER',
+            'unset REMOTE-USER-EMAIL',
+            'unset REMOTE-USER_EMAIL',
+            'unset REMOTE_USER-EMAIL',
             'unset REMOTE_USER_EMAIL',
+            'unset REMOTE-USER-FIRSTNAME',
+            'unset REMOTE-USER_FIRSTNAME',
+            'unset REMOTE_USER-FIRSTNAME',
             'unset REMOTE_USER_FIRSTNAME',
+            'unset REMOTE-USER-LASTNAME',
+            'unset REMOTE-USER_LASTNAME',
+            'unset REMOTE_USER-LASTNAME',
             'unset REMOTE_USER_LASTNAME',
+            'unset REMOTE-USER-GROUPS',
+            'unset REMOTE-USER_GROUPS',
+            'unset REMOTE_USER-GROUPS',
             'unset REMOTE_USER_GROUPS'
           ])
           .with_proxy_pass(
@@ -192,10 +205,23 @@ class { 'apache':
               'set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"',
               'set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"',
               'set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"',
+              'unset REMOTE-USER',
               'unset REMOTE_USER',
+              'unset REMOTE-USER-EMAIL',
+              'unset REMOTE-USER_EMAIL',
+              'unset REMOTE_USER-EMAIL',
               'unset REMOTE_USER_EMAIL',
+              'unset REMOTE-USER-FIRSTNAME',
+              'unset REMOTE-USER_FIRSTNAME',
+              'unset REMOTE_USER-FIRSTNAME',
               'unset REMOTE_USER_FIRSTNAME',
+              'unset REMOTE-USER-LASTNAME',
+              'unset REMOTE-USER_LASTNAME',
+              'unset REMOTE_USER-LASTNAME',
               'unset REMOTE_USER_LASTNAME',
+              'unset REMOTE-USER-GROUPS',
+              'unset REMOTE-USER_GROUPS',
+              'unset REMOTE_USER-GROUPS',
               'unset REMOTE_USER_GROUPS'
             ])
             .with_ssl_proxyengine(true)