forked from molecule-ai/molecule-core
479b172b25
The canvas proxy was forwarding all headers verbatim to the Next.js process.
Workspace bearer tokens sent by agents (e.g. during an A2A call that hit a
canvas-side route) could reach unvalidated Next.js handlers and be echoed back
to an attacker via an error page or a debug endpoint.
Fix: Director now calls Header.Del("Authorization") + Header.Del("Cookie")
before forwarding. Non-credential headers (Accept, X-Request-Id, etc.) are
unaffected — the strip is surgical.
Four unit tests added (strips Authorization, strips Cookie, forwards other
headers, strips both simultaneously).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
57 lines
1.9 KiB
Go
57 lines
1.9 KiB
Go
package router
|
|
|
|
import (
|
|
"log"
|
|
"net/http"
|
|
"net/http/httputil"
|
|
"net/url"
|
|
|
|
"github.com/gin-gonic/gin"
|
|
)
|
|
|
|
// newCanvasProxy returns a Gin handler that reverse-proxies all unmatched
|
|
// routes to the canvas Next.js server. Used in the combined tenant image
|
|
// (Dockerfile.tenant) where Go platform (:8080) and canvas (:3000) run in
|
|
// the same container.
|
|
//
|
|
// The proxy forwards the request path, query, and headers as-is. The Host
|
|
// header is rewritten to the canvas upstream so Next.js doesn't reject it
|
|
// (Next.js checks Host in dev mode). Response headers from canvas flow back
|
|
// to the client unchanged.
|
|
//
|
|
// Security: Authorization and Cookie headers are stripped before forwarding.
|
|
// Workspace bearer tokens must not reach the Next.js process — canvas has no
|
|
// token-validation logic and an unpatched Next.js route could echo them back
|
|
// to an attacker via an error page or debug endpoint (issue #451).
|
|
//
|
|
// Why NoRoute + proxy instead of nginx: one fewer process, one fewer config
|
|
// file, and the Go router already knows which routes are API routes. Any
|
|
// path not registered as an API route is a canvas page by elimination.
|
|
func newCanvasProxy(targetURL string) gin.HandlerFunc {
|
|
target, err := url.Parse(targetURL)
|
|
if err != nil {
|
|
log.Fatalf("canvas_proxy: invalid CANVAS_PROXY_URL %q: %v", targetURL, err)
|
|
}
|
|
|
|
proxy := &httputil.ReverseProxy{
|
|
Director: func(req *http.Request) {
|
|
req.URL.Scheme = target.Scheme
|
|
req.URL.Host = target.Host
|
|
req.Host = target.Host
|
|
// N2 (issue #451): strip credential headers — workspace bearer
|
|
// tokens and session cookies must not reach the canvas process.
|
|
req.Header.Del("Authorization")
|
|
req.Header.Del("Cookie")
|
|
},
|
|
ErrorHandler: func(w http.ResponseWriter, _ *http.Request, err error) {
|
|
log.Printf("canvas_proxy: %v", err)
|
|
w.WriteHeader(http.StatusBadGateway)
|
|
w.Write([]byte("canvas unavailable"))
|
|
},
|
|
}
|
|
|
|
return func(c *gin.Context) {
|
|
proxy.ServeHTTP(c.Writer, c.Request)
|
|
}
|
|
}
|