Skip to content

Commit a6fc28c

Browse files
aslilacaslilac
authored
chore: bring back x-auth-checks with a length limit (coder#19928)
1 parent adb7521 commit a6fc28c

2 files changed

Lines changed: 15 additions & 10 deletions

File tree

coderd/coderd.go

Lines changed: 1 addition & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -489,16 +489,8 @@ func New(options *Options) *API {
489489
r := chi.NewRouter()
490490
// We add this middleware early, to make sure that authorization checks made
491491
// by other middleware get recorded.
492-
//nolint:revive,staticcheck // This block will be re-enabled, not going to remove it
493492
if buildinfo.IsDev() {
494-
// TODO: Find another solution to opt into these checks.
495-
// If the header grows too large, it breaks `fetch()` requests.
496-
// Temporarily disabling this until we can find a better solution.
497-
// One idea is to include checking the request for `X-Authz-Record=true`
498-
// header. To opt in on a per-request basis.
499-
// Some authz calls (like filtering lists) might be able to be
500-
// summarized better to condense the header payload.
501-
// r.Use(httpmw.RecordAuthzChecks)
493+
r.Use(httpmw.RecordAuthzChecks)
502494
}
503495

504496
ctx, cancel := context.WithCancel(context.Background())

coderd/httpapi/authz.go

Lines changed: 14 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,14 @@ import (
99
"github.com/coder/coder/v2/coderd/rbac"
1010
)
1111

12+
// The x-authz-checks header can end up being >10KB in size on certain queries.
13+
// Many HTTP clients will fail if a header or the response head as a whole is
14+
// too long to prevent malicious responses from consuming all of the client's
15+
// memory. I've seen reports that browsers have this limit as low as 4KB for the
16+
// entire response head, so we limit this header to a little less than 2KB,
17+
// ensuring there's still plenty of room for the usual smaller headers.
18+
const maxHeaderLength = 2000
19+
1220
// This is defined separately in slim builds to avoid importing the rbac
1321
// package, which is a large dependency.
1422
func SetAuthzCheckRecorderHeader(ctx context.Context, rw http.ResponseWriter) {
@@ -23,6 +31,11 @@ func SetAuthzCheckRecorderHeader(ctx context.Context, rw http.ResponseWriter) {
2331
// configured on server startup for development and testing builds.
2432
// - If this header is missing from a response, make sure the response is
2533
// being written by calling `httpapi.Write`!
26-
rw.Header().Set("x-authz-checks", rec.String())
34+
checks := rec.String()
35+
if len(checks) > maxHeaderLength {
36+
checks = checks[:maxHeaderLength]
37+
checks += "<truncated>"
38+
}
39+
rw.Header().Set("x-authz-checks", checks)
2740
}
2841
}

0 commit comments

Comments
 (0)