From 720a1a6d724d7fb9b58a7d90880566f3371d5599 Mon Sep 17 00:00:00 2001
From: Christian Schaible <christian.schaible@novatec-gmbh.de>
Date: Tue, 28 Jan 2025 13:39:06 +0000
Subject: [PATCH] Merged PR 723917: fix: Filter grpcgateway-authorization
 headers

Security-concept-update-needed: false.

JIRA Work Item: STACKITALO-98
---
 audit/api/model.go      | 4 ++--
 audit/api/model_test.go | 1 +
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/audit/api/model.go b/audit/api/model.go
index 11778e2..50316fa 100644
--- a/audit/api/model.go
+++ b/audit/api/model.go
@@ -582,12 +582,12 @@ func byteArrayToPbStruct(bytes []byte) (*structpb.Struct, error) {
 }
 
 // FilterAndMergeHeaders filters ":authority", "Authorization", "B3" and "Host" headers as well as
-// all headers starting with the prefixes "X-" and "STACKIT-".
+// all headers starting with the prefixes "X-", "STACKIT-" and "grpcgateway-".
 // Headers are merged if there is more than one value for a given name.
 func FilterAndMergeHeaders(headers map[string][]string) map[string]string {
 	var resultMap = make(map[string]string)
 	skipHeaders := []string{":authority", "authorization", "b3", "host"}
-	skipPrefixHeaders := []string{"x-", "stackit-"}
+	skipPrefixHeaders := []string{"x-", "stackit-", "grpcgateway-"}
 
 	if len(headers) == 0 {
 		return nil
diff --git a/audit/api/model_test.go b/audit/api/model_test.go
index 63d58ce..b4ef29a 100644
--- a/audit/api/model_test.go
+++ b/audit/api/model_test.go
@@ -331,6 +331,7 @@ func Test_FilterAndMergeRequestHeaders(t *testing.T) {
 		headers := make(map[string][]string)
 		headers["X-Forwarded-Proto"] = []string{"https"}
 		headers["Stackit-test"] = []string{"test"}
+		headers["grpcgateway-authorization"] = []string{userToken}
 
 		filteredHeaders := FilterAndMergeHeaders(headers)
 		assert.Equal(t, 0, len(filteredHeaders))