Skip to content

fix: scope Ory-Base-URL-Rewrite* headers to Ory-bound requests#446

Open
aeneasr wants to merge 2 commits into
masterfrom
aeneasr/verify-ory-proxy-apikey-leak
Open

fix: scope Ory-Base-URL-Rewrite* headers to Ory-bound requests#446
aeneasr wants to merge 2 commits into
masterfrom
aeneasr/verify-ory-proxy-apikey-leak

Conversation

@aeneasr

@aeneasr aeneasr commented Jul 16, 2026

Copy link
Copy Markdown
Member

The ory proxy/ory tunnel reverse proxy attached the Ory-No-Custom-Domain-Redirect, Ory-Base-URL-Rewrite, and Ory-Base-URL-Rewrite-Token headers to every outbound request, including those forwarded to the developer's own upstream application. The last header carries the temporary project API key, which is only consumed by Ory and has no reason to reach the upstream. This change scopes all three headers to Ory-bound requests only (extracting the request middleware into a testable reqMiddleware function) and adds a regression test that pins the behavior. Tunnel mode is unaffected, since its upstream is Ory, so every request still takes the Ory branch.

Related Issue or Design Document

This was raised via a HackerOne report. It is not an exploitable vulnerability (the upstream is the developer's own app, the tool is development-only, and the temporary key is short-lived and auto-deleted on shutdown), so it is triaged as informational. This PR is a defense-in-depth / hygiene hardening: don't send a credential to a destination that doesn't need it.

Checklist

  • I have read the contributing guidelines and signed the CLA.
  • I have referenced an issue containing the design document if my change introduces a new feature.
  • I have read the security policy.
  • I confirm that this pull request does not address a security vulnerability. If this pull request addresses a security vulnerability, I confirm that I got approval (please contact security@ory.com) from the maintainers to push the changes.
  • I have added tests that prove my fix is effective or that my feature works.
  • I have added the necessary documentation within the code base (if appropriate).

Further comments

The header-scoping logic was extracted from an inline closure in runReverseProxy into a package-level reqMiddleware(conf, oryURL, apiKey) function purely to make it unit-testable, since the proxy package previously had zero test coverage and runReverseProxy blocks on ListenAndServe. The new test was confirmed to fail against the pre-fix code and pass after the fix.

Summary by CodeRabbit

  • Bug Fixes

    • Improved reverse-proxy behavior for Ory-bound and upstream requests.
    • Prevented spoofed or rewrite-related Ory headers from being forwarded upstream.
    • Applied Ory header injection only when appropriate, and corrected forwarded host rewriting when enabled.
  • Tests

    • Added coverage for Ory header injection, upstream request handling, spoofing/sanitization behavior, and host rewriting scenarios.

The ory proxy/tunnel reverse proxy attached the Ory-No-Custom-Domain-Redirect,
Ory-Base-URL-Rewrite, and Ory-Base-URL-Rewrite-Token headers to every outbound
request, including those forwarded to the developer's own upstream app. The
last header carries a temporary project API key, which is only consumed by Ory
and has no reason to reach the upstream. Scope these headers to Ory-bound
requests only as a defense-in-depth hardening, and add a regression test.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jul 16, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 306a4aad-940b-46ec-b181-df358479956c

📥 Commits

Reviewing files that changed from the base of the PR and between 7aa57bf and 6081a85.

📒 Files selected for processing (2)
  • cmd/cloudx/proxy/helpers.go
  • cmd/cloudx/proxy/helpers_test.go
🚧 Files skipped from review as they are similar to previous changes (1)
  • cmd/cloudx/proxy/helpers.go

📝 Walkthrough

Walkthrough

The reverse-proxy request middleware was extracted into reqMiddleware, wired into proxy configuration, and tested for Ory routing, upstream routing, host rewriting, and rewrite-header sanitization.

Changes

Proxy middleware

Layer / File(s) Summary
Extract and wire request middleware
cmd/cloudx/proxy/helpers.go
The reusable middleware removes incoming rewrite headers, applies Ory routing headers and host changes, optionally rewrites forwarded host values, and replaces the inline proxy middleware wiring.
Validate middleware behavior
cmd/cloudx/proxy/helpers_test.go
Tests cover Ory-bound and upstream-bound requests, optional host rewriting, spoofed-header removal, empty-token sanitization, and API-key token replacement.

Estimated code review effort: 3 (Moderate) | ~20 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly matches the change: scoping Ory rewrite headers to Ory-bound requests.
Description check ✅ Passed The description includes the big-picture summary, related report context, checklist items, and follow-up comments per the template.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch aeneasr/verify-ory-proxy-apikey-leak

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@aeneasr aeneasr left a comment

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@cmd/cloudx/proxy/helpers.go`:
- Around line 300-318: Update the proxy rewrite handler returned by the
surrounding function to remove all incoming Ory-No-Custom-Domain-Redirect,
Ory-Base-URL-Rewrite, and Ory-Base-URL-Rewrite-Token headers before the
host-specific logic. Then retain the existing selective header setting,
including only setting the token when apiKey is non-empty.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: db446403-fff8-47b7-b646-8044f97f0bae

📥 Commits

Reviewing files that changed from the base of the PR and between f9247ab and 7aa57bf.

📒 Files selected for processing (2)
  • cmd/cloudx/proxy/helpers.go
  • cmd/cloudx/proxy/helpers_test.go

Comment thread cmd/cloudx/proxy/helpers.go
Prevents clients from spoofing Ory-Base-URL-Rewrite*, Ory-Base-URL-Rewrite-Token,
and Ory-No-Custom-Domain-Redirect headers. Spoofed headers would otherwise be
forwarded unchanged to the developer's upstream app, or — when no API key is
configured — passed through to Ory.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant