Handle invalid headers (#49524)

Peter Bengtsson · web-flow · commit a194061abff5 · 2024-03-05T17:24:12.000Z
diff --git a/src/shielding/middleware/handle-invalid-headers.js b/src/shielding/middleware/handle-invalid-headers.js
@@ -0,0 +1,31 @@
+import statsd from '#src/observability/lib/statsd.js'
+import { errorCacheControl } from '#src/frame/middleware/cache-control.js'
+
+const STATSD_KEY = 'middleware.handle_invalid_headers'
+
+const INVALID_HEADER_KEYS = [
+  // Next.js will pick this up and override the status code.
+  // We don't want that to happen because `x-invoke-status: 203` can
+  // trigger the CDN to cache it.
+  // It can also trigger a 500 error because the header is not used
+  // correctly.
+  'x-invoke-status',
+]
+
+export default function handleInvalidNextPaths(req, res, next) {
+  const header = INVALID_HEADER_KEYS.find((key) => req.headers[key])
+  if (header) {
+    // This way you can't hammer the backend with invalid requests.
+    // Since the CDN will cache based on the status code not being one
+    // of success, we don't have to worry about this being cached when
+    // the URL is the same but the headers *not invalid*.
+    errorCacheControl(res)
+
+    const tags = [`ip:${req.ip}`, `path:${req.path}`, `header:${header}`]
+    statsd.increment(STATSD_KEY, 1, tags)
+
+    return res.status(400).type('text').send('Invalid request headers')
+  }
+
+  return next()
+}
diff --git a/src/shielding/middleware/index.js b/src/shielding/middleware/index.js
@@ -5,6 +5,7 @@ import handleInvalidPaths from './handle-invalid-paths.js'
 import handleOldNextDataPaths from './handle-old-next-data-paths.js'
 import handleInvalidQuerystringValues from './handle-invalid-query-string-values.js'
 import handleInvalidNextPaths from './handle-invalid-nextjs-paths.js'
+import handleInvalidHeaders from './handle-invalid-headers.js'
 import rateLimit from './rate-limit.js'
 
 const router = express.Router()
@@ -15,5 +16,6 @@ router.use(handleInvalidPaths)
 router.use(handleOldNextDataPaths)
 router.use(handleInvalidQuerystringValues)
 router.use(handleInvalidNextPaths)
+router.use(handleInvalidHeaders)
 
 export default router
diff --git a/src/shielding/tests/invalid-headers.js b/src/shielding/tests/invalid-headers.js
@@ -0,0 +1,16 @@
+import { get } from '#src/tests/helpers/e2etest.js'
+
+describe('invalid headers', () => {
+  test('400 if containing x-invoke-status (instead of redirecting)', async () => {
+    const res = await get('/', { headers: { 'x-invoke-status': '203' } })
+    expect(res.statusCode).toBe(400)
+    expect(res.headers['cache-control']).toMatch('public')
+    expect(res.headers['cache-control']).toMatch(/max-age=[1-9]/)
+  })
+  test('400 if containing x-invoke-status (instead of 200)', async () => {
+    const res = await get('/en', { headers: { 'x-invoke-status': '203' } })
+    expect(res.statusCode).toBe(400)
+    expect(res.headers['cache-control']).toMatch('public')
+    expect(res.headers['cache-control']).toMatch(/max-age=[1-9]/)
+  })
+})
