Merged PR 723917: fix: Filter grpcgateway-authorization headers

Security-concept-update-needed: false.

JIRA Work Item: STACKITALO-98

audit/api/model.go

@@ -582,12 +582,12 @@ func byteArrayToPbStruct(bytes []byte) (*structpb.Struct, error) {
 }
 
 // FilterAndMergeHeaders filters ":authority", "Authorization", "B3" and "Host" headers as well as
-// all headers starting with the prefixes "X-" and "STACKIT-".
+// all headers starting with the prefixes "X-", "STACKIT-" and "grpcgateway-".
 // Headers are merged if there is more than one value for a given name.
 func FilterAndMergeHeaders(headers map[string][]string) map[string]string {
 	var resultMap = make(map[string]string)
 	skipHeaders := []string{":authority", "authorization", "b3", "host"}
-	skipPrefixHeaders := []string{"x-", "stackit-"}
+	skipPrefixHeaders := []string{"x-", "stackit-", "grpcgateway-"}
 
 	if len(headers) == 0 {
 		return nil

audit/api/model_test.go

@@ -331,6 +331,7 @@ func Test_FilterAndMergeRequestHeaders(t *testing.T) {
 		headers := make(map[string][]string)
 		headers["X-Forwarded-Proto"] = []string{"https"}
 		headers["Stackit-test"] = []string{"test"}
+		headers["grpcgateway-authorization"] = []string{userToken}
 
 		filteredHeaders := FilterAndMergeHeaders(headers)
 		assert.Equal(t, 0, len(filteredHeaders))