Merged PR 723917: fix: Filter grpcgateway-authorization headers

Security-concept-update-needed: false. JIRA Work Item: STACKITALO-98
2026-02-08 00:57:24 +00:00 · 2025-01-28 13:39:06 +00:00 · 2025-01-28 13:39:06 +00:00 · 720a1a6d72
commit 720a1a6d72
parent 3472ce1585
2 changed files with 3 additions and 2 deletions
--- a/audit/api/model.go
+++ b/audit/api/model.go
@ -582,12 +582,12 @@ func byteArrayToPbStruct(bytes []byte) (*structpb.Struct, error) {
 }

 // FilterAndMergeHeaders filters ":authority", "Authorization", "B3" and "Host" headers as well as
-// all headers starting with the prefixes "X-" and "STACKIT-".
+// all headers starting with the prefixes "X-", "STACKIT-" and "grpcgateway-".
 // Headers are merged if there is more than one value for a given name.
 func FilterAndMergeHeaders(headers map[string][]string) map[string]string {
 	var resultMap = make(map[string]string)
 	skipHeaders := []string{":authority", "authorization", "b3", "host"}
-	skipPrefixHeaders := []string{"x-", "stackit-"}
+	skipPrefixHeaders := []string{"x-", "stackit-", "grpcgateway-"}

 	if len(headers) == 0 {
 		return nil
--- a/audit/api/model_test.go
+++ b/audit/api/model_test.go
@ -331,6 +331,7 @@ func Test_FilterAndMergeRequestHeaders(t *testing.T) {
 		headers := make(map[string][]string)
 		headers["X-Forwarded-Proto"] = []string{"https"}
 		headers["Stackit-test"] = []string{"test"}
+		headers["grpcgateway-authorization"] = []string{userToken}

 		filteredHeaders := FilterAndMergeHeaders(headers)
 		assert.Equal(t, 0, len(filteredHeaders))