Sanitize CORS headers (#85)

Add sanitation step for `Access-Control-Allow-Headers` when echoing back user supplied headers
2025-04-01 08:43:53 -07:00
parent 4c3aa40564
commit a23da6eb57
3 changed files with 122 additions and 1 deletions
--- a/proxy/proxymanager.go
+++ b/proxy/proxymanager.go
@@ -84,7 +84,8 @@ func New(config *Config) *ProxyManager {

 			// allow whatever the client requested by default
 			if headers := c.Request.Header.Get("Access-Control-Request-Headers"); headers != "" {
-				c.Header("Access-Control-Allow-Headers", headers)
+				sanitized := SanitizeAccessControlRequestHeaderValues(headers)
+				c.Header("Access-Control-Allow-Headers", sanitized)
 			} else {
 				c.Header(
 					"Access-Control-Allow-Headers",