From 6ceb2f1213e1b28d3aa72380661e4aa985bfa437 Mon Sep 17 00:00:00 2001 From: Henning Perl Date: Mon, 26 Aug 2024 08:20:41 +0200 Subject: [PATCH] fix: concurrent map update for webhook header (#4055) --- internal/client-go/go.sum | 1 + selfservice/hook/web_hook.go | 12 +++++++----- selfservice/hook/web_hook_integration_test.go | 18 ++++++------------ 3 files changed, 14 insertions(+), 17 deletions(-) diff --git a/internal/client-go/go.sum b/internal/client-go/go.sum index c966c8ddfd0d..6cc3f5911d11 100644 --- a/internal/client-go/go.sum +++ b/internal/client-go/go.sum @@ -4,6 +4,7 @@ github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5y golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e h1:bRhVy7zSSasaqNksaRZiA5EEI+Ei4I1nO5Jh72wfHlg= golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4 h1:YUO/7uOKsKeq9UokNS62b8FYywz3ker1l1vDZRCRefw= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= diff --git a/selfservice/hook/web_hook.go b/selfservice/hook/web_hook.go index 86878bae2fce..6773e9ec4b89 100644 --- a/selfservice/hook/web_hook.go +++ b/selfservice/hook/web_hook.go @@ -21,6 +21,7 @@ import ( "go.opentelemetry.io/otel/codes" semconv "go.opentelemetry.io/otel/semconv/v1.11.0" "go.opentelemetry.io/otel/trace" + "golang.org/x/exp/maps" grpccodes "google.golang.org/grpc/codes" "github.com/ory/herodot" @@ -448,11 +449,12 @@ var RequestHeaderAllowList = map[string]struct{}{ } func removeDisallowedHeaders(data *templateContext) { - for key := range data.RequestHeaders { - if _, ok := RequestHeaderAllowList[textproto.CanonicalMIMEHeaderKey(key)]; !ok { - data.RequestHeaders.Del(key) - } - } + headers := maps.Clone(data.RequestHeaders) + maps.DeleteFunc(headers, func(key string, _ []string) bool { + _, found := RequestHeaderAllowList[textproto.CanonicalMIMEHeaderKey(key)] + return !found + }) + data.RequestHeaders = headers } func parseWebhookResponse(resp *http.Response, id *identity.Identity) (err error) { diff --git a/selfservice/hook/web_hook_integration_test.go b/selfservice/hook/web_hook_integration_test.go index ac756961bb7b..cae9659a285c 100644 --- a/selfservice/hook/web_hook_integration_test.go +++ b/selfservice/hook/web_hook_integration_test.go @@ -129,10 +129,8 @@ func TestWebHooks(t *testing.T) { } }`, f.GetID(), req.Method, "http://www.ory.sh/some_end_point") if len(req.Header) != 0 { - var err error - body, err = sjson.Set(body, "headers", req.Header) - if err != nil { - panic(err) + if ua := req.Header.Get("User-Agent"); ua != "" { + body, _ = sjson.Set(body, "headers.User-Agent", []string{ua}) } } @@ -153,10 +151,8 @@ func TestWebHooks(t *testing.T) { "transient_payload": %s }`, f.GetID(), s.Identity.ID, req.Method, "http://www.ory.sh/some_end_point", string(tp)) if len(req.Header) != 0 { - var err error - body, err = sjson.Set(body, "headers", req.Header) - if err != nil { - panic(err) + if ua := req.Header.Get("User-Agent"); ua != "" { + body, _ = sjson.Set(body, "headers.User-Agent", []string{ua}) } } @@ -178,10 +174,8 @@ func TestWebHooks(t *testing.T) { "transient_payload": %s }`, f.GetID(), s.Identity.ID, s.ID, req.Method, "http://www.ory.sh/some_end_point", string(tp)) if len(req.Header) != 0 { - var err error - body, err = sjson.Set(body, "headers", req.Header) - if err != nil { - panic(err) + if ua := req.Header.Get("User-Agent"); ua != "" { + body, _ = sjson.Set(body, "headers.User-Agent", []string{ua}) } }