Support for X-Forwarded-Prefix in ForwardedHeadersMiddleware (#49249)

andwi · web-flow · commit dc3d37fc09ea · 2023-08-01T14:01:07.000-07:00
diff --git a/src/Middleware/HttpOverrides/src/ForwardedHeaders.cs b/src/Middleware/HttpOverrides/src/ForwardedHeaders.cs
@@ -26,7 +26,11 @@ public enum ForwardedHeaders
     /// </summary>
     XForwardedProto = 1 << 2,
     /// <summary>
-    /// Process X-Forwarded-For, X-Forwarded-Host and X-Forwarded-Proto.
+    /// Process X-Forwarded-Prefix, which identifies the original path base used by the client.
     /// </summary>
-    All = XForwardedFor | XForwardedHost | XForwardedProto
+    XForwardedPrefix = 1 << 3,
+    /// <summary>
+    /// Process X-Forwarded-For, X-Forwarded-Host, X-Forwarded-Proto and X-Forwarded-Prefix.
+    /// </summary>
+    All = XForwardedFor | XForwardedHost | XForwardedProto | XForwardedPrefix
 }
diff --git a/src/Middleware/HttpOverrides/src/ForwardedHeadersDefaults.cs b/src/Middleware/HttpOverrides/src/ForwardedHeadersDefaults.cs
@@ -24,6 +24,11 @@ public static class ForwardedHeadersDefaults
     /// </summary>
     public static string XForwardedProtoHeaderName { get; } = "X-Forwarded-Proto";
 
+    /// <summary>
+    /// X-Forwarded-Prefix
+    /// </summary>
+    public static string XForwardedPrefixHeaderName { get; } = "X-Forwarded-Prefix";
+
     /// <summary>
     /// X-Original-For
     /// </summary>
@@ -38,4 +43,9 @@ public static class ForwardedHeadersDefaults
     /// X-Original-Proto
     /// </summary>
     public static string XOriginalProtoHeaderName { get; } = "X-Original-Proto";
+
+    /// <summary>
+    /// X-Original-Prefix
+    /// </summary>
+    public static string XOriginalPrefixHeaderName { get; } = "X-Original-Prefix";
 }
diff --git a/src/Middleware/HttpOverrides/src/ForwardedHeadersMiddleware.cs b/src/Middleware/HttpOverrides/src/ForwardedHeadersMiddleware.cs
@@ -53,9 +53,11 @@ public ForwardedHeadersMiddleware(RequestDelegate next, ILoggerFactory loggerFac
         EnsureOptionNotNullorWhitespace(options.Value.ForwardedForHeaderName, nameof(options.Value.ForwardedForHeaderName));
         EnsureOptionNotNullorWhitespace(options.Value.ForwardedHostHeaderName, nameof(options.Value.ForwardedHostHeaderName));
         EnsureOptionNotNullorWhitespace(options.Value.ForwardedProtoHeaderName, nameof(options.Value.ForwardedProtoHeaderName));
+        EnsureOptionNotNullorWhitespace(options.Value.ForwardedPrefixHeaderName, nameof(options.Value.ForwardedPrefixHeaderName));
         EnsureOptionNotNullorWhitespace(options.Value.OriginalForHeaderName, nameof(options.Value.OriginalForHeaderName));
         EnsureOptionNotNullorWhitespace(options.Value.OriginalHostHeaderName, nameof(options.Value.OriginalHostHeaderName));
         EnsureOptionNotNullorWhitespace(options.Value.OriginalProtoHeaderName, nameof(options.Value.OriginalProtoHeaderName));
+        EnsureOptionNotNullorWhitespace(options.Value.OriginalPrefixHeaderName, nameof(options.Value.OriginalPrefixHeaderName));
 
         _options = options.Value;
         _logger = loggerFactory.CreateLogger<ForwardedHeadersMiddleware>();
@@ -126,8 +128,8 @@ public Task Invoke(HttpContext context)
     public void ApplyForwarders(HttpContext context)
     {
         // Gather expected headers.
-        string[]? forwardedFor = null, forwardedProto = null, forwardedHost = null;
-        bool checkFor = false, checkProto = false, checkHost = false;
+        string[]? forwardedFor = null, forwardedProto = null, forwardedHost = null, forwardedPrefix = null;
+        bool checkFor = false, checkProto = false, checkHost = false, checkPrefix = false;
         int entryCount = 0;
 
         var request = context.Request;
@@ -165,6 +167,21 @@ public void ApplyForwarders(HttpContext context)
             entryCount = Math.Max(forwardedHost.Length, entryCount);
         }
 
+        if (_options.ForwardedHeaders.HasFlag(ForwardedHeaders.XForwardedPrefix))
+        {
+            checkPrefix = true;
+            forwardedPrefix = requestHeaders.GetCommaSeparatedValues(_options.ForwardedPrefixHeaderName);
+            if (_options.RequireHeaderSymmetry
+                && ((checkFor && forwardedFor!.Length != forwardedPrefix.Length)
+                    || (checkProto && forwardedProto!.Length != forwardedPrefix.Length)
+                    || (checkHost && forwardedHost!.Length != forwardedPrefix.Length)))
+            {
+                _logger.LogWarning(1, "Parameter count mismatch between X-Forwarded-Prefix and X-Forwarded-Host and X-Forwarded-For or X-Forwarded-Proto.");
+                return;
+            }
+            entryCount = Math.Max(forwardedPrefix.Length, entryCount);
+        }
+
         // Apply ForwardLimit, if any
         if (_options.ForwardLimit.HasValue && entryCount > _options.ForwardLimit)
         {
@@ -189,6 +206,10 @@ public void ApplyForwarders(HttpContext context)
             {
                 set.Host = forwardedHost[forwardedHost.Length - i - 1];
             }
+            if (checkPrefix && i < forwardedPrefix!.Length)
+            {
+                set.Prefix = forwardedPrefix[forwardedPrefix.Length - i - 1];
+            }
             sets[i] = set;
         }
 
@@ -271,6 +292,20 @@ public void ApplyForwarders(HttpContext context)
                     return;
                 }
             }
+
+            if (checkPrefix)
+            {
+                if (!string.IsNullOrEmpty(set.Prefix) && set.Prefix[0] == '/')
+                {
+                    applyChanges = true;
+                    currentValues.Prefix = set.Prefix;
+                }
+                else if (_options.RequireHeaderSymmetry)
+                {
+                    _logger.LogWarning(5, $"Incorrect number of x-forwarded-prefix header values, see {nameof(_options.RequireHeaderSymmetry)}");
+                    return;
+                }
+            }
         }
 
         if (applyChanges)
@@ -285,7 +320,8 @@ public void ApplyForwarders(HttpContext context)
                 if (forwardedFor!.Length > entriesConsumed)
                 {
                     // Truncate the consumed header values
-                    requestHeaders[_options.ForwardedForHeaderName] = forwardedFor.Take(forwardedFor.Length - entriesConsumed).ToArray();
+                    requestHeaders[_options.ForwardedForHeaderName] =
+                        TruncateConsumedHeaderValues(forwardedFor, entriesConsumed);
                 }
                 else
                 {
@@ -303,7 +339,8 @@ public void ApplyForwarders(HttpContext context)
                 if (forwardedProto!.Length > entriesConsumed)
                 {
                     // Truncate the consumed header values
-                    requestHeaders[_options.ForwardedProtoHeaderName] = forwardedProto.Take(forwardedProto.Length - entriesConsumed).ToArray();
+                    requestHeaders[_options.ForwardedProtoHeaderName] =
+                        TruncateConsumedHeaderValues(forwardedProto, entriesConsumed);
                 }
                 else
                 {
@@ -320,7 +357,8 @@ public void ApplyForwarders(HttpContext context)
                 if (forwardedHost!.Length > entriesConsumed)
                 {
                     // Truncate the consumed header values
-                    requestHeaders[_options.ForwardedHostHeaderName] = forwardedHost.Take(forwardedHost.Length - entriesConsumed).ToArray();
+                    requestHeaders[_options.ForwardedHostHeaderName] =
+                        TruncateConsumedHeaderValues(forwardedHost, entriesConsumed);
                 }
                 else
                 {
@@ -329,6 +367,29 @@ public void ApplyForwarders(HttpContext context)
                 }
                 request.Host = HostString.FromUriComponent(currentValues.Host);
             }
+
+            if (checkPrefix && currentValues.Prefix != null)
+            {
+                if (request.PathBase.HasValue)
+                {
+                    // Save the original
+                    requestHeaders[_options.OriginalPrefixHeaderName] = request.PathBase.ToString();
+                }
+
+                if (forwardedPrefix!.Length > entriesConsumed)
+                {
+                    // Truncate the consumed header values
+                    requestHeaders[_options.ForwardedPrefixHeaderName] =
+                        TruncateConsumedHeaderValues(forwardedPrefix, entriesConsumed);
+                }
+                else
+                {
+                    // All values were consumed
+                    requestHeaders.Remove(_options.ForwardedPrefixHeaderName);
+                }
+
+                request.PathBase = PathString.FromUriComponent(currentValues.Prefix);
+            }
         }
     }
 
@@ -362,6 +423,7 @@ private struct SetOfForwarders
         public IPEndPoint? RemoteIpAndPort;
         public string Host;
         public string Scheme;
+        public string Prefix;
     }
 
     // Empty was checked for by the caller
@@ -423,4 +485,12 @@ private static bool TryValidateHostPort(string hostText, int offset)
 
         return hostText.AsSpan(offset + 1).IndexOfAnyExceptInRange('0', '9') < 0;
     }
+
+    private static string[] TruncateConsumedHeaderValues(string[] forwarded, int entriesConsumed)
+    {
+        var newLength = forwarded.Length - entriesConsumed;
+        var remaining = new string[newLength];
+        Array.Copy(forwarded, remaining, newLength);
+        return remaining;
+    }
 }
diff --git a/src/Middleware/HttpOverrides/src/ForwardedHeadersOptions.cs b/src/Middleware/HttpOverrides/src/ForwardedHeadersOptions.cs
@@ -29,6 +29,12 @@ public class ForwardedHeadersOptions
     /// </summary>
     public string ForwardedProtoHeaderName { get; set; } = ForwardedHeadersDefaults.XForwardedProtoHeaderName;
 
+    /// <summary>
+    /// Gets or sets the header used to retrieve the value for the path base.
+    /// Defaults to the value specified by <see cref="ForwardedHeadersDefaults.XForwardedPrefixHeaderName"/>
+    /// </summary>
+    public string ForwardedPrefixHeaderName { get; set; } = ForwardedHeadersDefaults.XForwardedPrefixHeaderName;
+
     /// <summary>
     /// Gets or sets the header used to store the original value of client IP before applying forwarded headers.
     /// Defaults to the value specified by <see cref="ForwardedHeadersDefaults.XOriginalForHeaderName"/>
@@ -50,6 +56,13 @@ public class ForwardedHeadersOptions
     /// <seealso cref="ForwardedHeadersDefaults"/>
     public string OriginalProtoHeaderName { get; set; } = ForwardedHeadersDefaults.XOriginalProtoHeaderName;
 
+    /// <summary>
+    /// Gets or sets the header used to store the original path base before applying forwarded headers.
+    /// Defaults to the value specified by <see cref="ForwardedHeadersDefaults.XOriginalPrefixHeaderName"/>
+    /// </summary>
+    /// <seealso cref="ForwardedHeadersDefaults"/>
+    public string OriginalPrefixHeaderName { get; set; } = ForwardedHeadersDefaults.XOriginalPrefixHeaderName;
+
     /// <summary>
     /// Identifies which forwarders should be processed.
     /// </summary>
diff --git a/src/Middleware/HttpOverrides/src/PublicAPI.Unshipped.txt b/src/Middleware/HttpOverrides/src/PublicAPI.Unshipped.txt
@@ -1,3 +1,14 @@
 #nullable enable
+~static Microsoft.AspNetCore.HttpOverrides.ForwardedHeadersDefaults.XForwardedPrefixHeaderName.get -> string
+~static Microsoft.AspNetCore.HttpOverrides.ForwardedHeadersDefaults.XOriginalPrefixHeaderName.get -> string
+Microsoft.AspNetCore.Builder.ForwardedHeadersOptions.ForwardedPrefixHeaderName.get -> string!
+Microsoft.AspNetCore.Builder.ForwardedHeadersOptions.ForwardedPrefixHeaderName.set -> void
+Microsoft.AspNetCore.Builder.ForwardedHeadersOptions.OriginalPrefixHeaderName.get -> string!
+Microsoft.AspNetCore.Builder.ForwardedHeadersOptions.OriginalPrefixHeaderName.set -> void
+*REMOVED*Microsoft.AspNetCore.HttpOverrides.ForwardedHeaders.All = Microsoft.AspNetCore.HttpOverrides.ForwardedHeaders.XForwardedFor | Microsoft.AspNetCore.HttpOverrides.ForwardedHeaders.XForwardedHost | Microsoft.AspNetCore.HttpOverrides.ForwardedHeaders.XForwardedProto -> Microsoft.AspNetCore.HttpOverrides.ForwardedHeaders
+Microsoft.AspNetCore.HttpOverrides.ForwardedHeaders.All = Microsoft.AspNetCore.HttpOverrides.ForwardedHeaders.XForwardedFor | Microsoft.AspNetCore.HttpOverrides.ForwardedHeaders.XForwardedHost | Microsoft.AspNetCore.HttpOverrides.ForwardedHeaders.XForwardedProto | Microsoft.AspNetCore.HttpOverrides.ForwardedHeaders.XForwardedPrefix -> Microsoft.AspNetCore.HttpOverrides.ForwardedHeaders
+Microsoft.AspNetCore.HttpOverrides.ForwardedHeaders.XForwardedPrefix = 8 -> Microsoft.AspNetCore.HttpOverrides.ForwardedHeaders
+static Microsoft.AspNetCore.HttpOverrides.ForwardedHeadersDefaults.XForwardedPrefixHeaderName.get -> string!
+static Microsoft.AspNetCore.HttpOverrides.ForwardedHeadersDefaults.XOriginalPrefixHeaderName.get -> string!
 static Microsoft.AspNetCore.HttpOverrides.IPNetwork.Parse(System.ReadOnlySpan<char> networkSpan) -> Microsoft.AspNetCore.HttpOverrides.IPNetwork!
 static Microsoft.AspNetCore.HttpOverrides.IPNetwork.TryParse(System.ReadOnlySpan<char> networkSpan, out Microsoft.AspNetCore.HttpOverrides.IPNetwork? network) -> bool
diff --git a/src/Middleware/HttpOverrides/test/ForwardedHeadersMiddlewareTest.cs b/src/Middleware/HttpOverrides/test/ForwardedHeadersMiddlewareTest.cs
