Merge pull request from GHSA-2wmj-46rj-qm2w

* fix: find instance by original domain * return instance not found on invalid origin * test: ensure correct host validation * test: instance not found is translated
2025-08-11 20:27:32 +00:00 · 2023-11-29 11:57:47 +01:00
parent ef11609142
commit 11d7a8ce61
2 changed files with 80 additions and 7 deletions
--- a/internal/api/http/middleware/instance_interceptor_test.go
+++ b/internal/api/http/middleware/instance_interceptor_test.go
@@ -12,6 +12,7 @@ import (
 	"golang.org/x/text/language"

 	"github.com/zitadel/zitadel/internal/api/authz"
+	zitadel_http "github.com/zitadel/zitadel/internal/api/http"
 )

 func Test_instanceInterceptor_Handler(t *testing.T) {
@@ -70,6 +71,7 @@ func Test_instanceInterceptor_Handler(t *testing.T) {
 			a := &instanceInterceptor{
 				verifier:   tt.fields.verifier,
 				headerName: tt.fields.headerName,
+				translator: newZitadelTranslator(),
 			}
 			next := &testHandler{}
 			got := a.HandlerFunc(next.ServeHTTP)
@@ -137,6 +139,7 @@ func Test_instanceInterceptor_HandlerFunc(t *testing.T) {
 			a := &instanceInterceptor{
 				verifier:   tt.fields.verifier,
 				headerName: tt.fields.headerName,
+				translator: newZitadelTranslator(),
 			}
 			next := &testHandler{}
 			got := a.HandlerFunc(next.ServeHTTP)
@@ -164,7 +167,7 @@ func Test_setInstance(t *testing.T) {
 		res  res
 	}{
 		{
-			"hostname not found, error",
+			"special host header not found, error",
 			args{
 				r: func() *http.Request {
 					r := httptest.NewRequest("", "/url", nil)
@@ -179,7 +182,7 @@ func Test_setInstance(t *testing.T) {
 			},
 		},
 		{
-			"invalid host, error",
+			"special host header invalid, error",
 			args{
 				r: func() *http.Request {
 					r := httptest.NewRequest("", "/url", nil)
@@ -195,7 +198,7 @@ func Test_setInstance(t *testing.T) {
 			},
 		},
 		{
-			"valid host",
+			"special host header valid, ok",
 			args{
 				r: func() *http.Request {
 					r := httptest.NewRequest("", "/url", nil)
@@ -210,6 +213,52 @@ func Test_setInstance(t *testing.T) {
 				err:  false,
 			},
 		},
+		{
+			"host from origin if header is not special, ok",
+			args{
+				r: func() *http.Request {
+					r := httptest.NewRequest("", "/url", nil)
+					r.Header.Set("host", "fromrequest")
+					return r.WithContext(zitadel_http.WithComposedOrigin(r.Context(), "https://fromorigin:9999"))
+				}(),
+				verifier:   &mockInstanceVerifier{"fromorigin"},
+				headerName: "host",
+			},
+			res{
+				want: authz.WithInstance(zitadel_http.WithComposedOrigin(context.Background(), "https://fromorigin:9999"), &mockInstance{}),
+				err:  false,
+			},
+		},
+		{
+			"host from origin, instance not found",
+			args{
+				r: func() *http.Request {
+					r := httptest.NewRequest("", "/url", nil)
+					return r.WithContext(zitadel_http.WithComposedOrigin(r.Context(), "https://fromorigin:9999"))
+				}(),
+				verifier:   &mockInstanceVerifier{"unknowndomain"},
+				headerName: "host",
+			},
+			res{
+				want: nil,
+				err:  true,
+			},
+		},
+		{
+			"host from origin invalid, err",
+			args{
+				r: func() *http.Request {
+					r := httptest.NewRequest("", "/url", nil)
+					return r.WithContext(zitadel_http.WithComposedOrigin(r.Context(), "https://from origin:9999"))
+				}(),
+				verifier:   &mockInstanceVerifier{"from origin"},
+				headerName: "host",
+			},
+			res{
+				want: nil,
+				err:  true,
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {