Do not sign X-Forwarded-For header if present on the request

Author: Brandon Dahler

.changes/next-release/bugfix-AWSSDKforJavav2-f4b7e4d.json

@@ -0,0 +1,6 @@
+{
+    "type": "bugfix",
+    "category": "AWS SDK for Java v2",
+    "contributor": "brandondahler",
+    "description": "X-Forwarded-For headers will no longer be signed during SigV4 authentication"
+}

core/auth/src/main/java/software/amazon/awssdk/auth/signer/internal/AbstractAws4Signer.java

@@ -68,7 +68,7 @@ public abstract class AbstractAws4Signer<T extends Aws4SignerParams, U extends A
     private static final FifoCache<SignerKey> SIGNER_CACHE =
         new FifoCache<>(SIGNER_CACHE_MAX_SIZE);
     private static final List<String> LIST_OF_HEADERS_TO_IGNORE_IN_LOWER_CASE =
-        Arrays.asList("connection", "x-amzn-trace-id", "user-agent", "expect", "transfer-encoding");
+        Arrays.asList("connection", "x-amzn-trace-id", "user-agent", "expect", "transfer-encoding", "x-forwarded-for");
 
     protected SdkHttpFullRequest.Builder doSign(SdkHttpFullRequest request,
                                                 Aws4SignerRequestParams requestParams,

core/auth/src/main/java/software/amazon/awssdk/auth/signer/internal/util/HeaderTransformsHelper.java

@@ -32,7 +32,7 @@
 public final class HeaderTransformsHelper {
 
     private static final List<String> LIST_OF_HEADERS_TO_IGNORE_IN_LOWER_CASE =
-        Arrays.asList("connection", "x-amzn-trace-id", "user-agent", "expect", "transfer-encoding");
+        Arrays.asList("connection", "x-amzn-trace-id", "user-agent", "expect", "transfer-encoding", "x-forwarded-for");
 
     private HeaderTransformsHelper() {
     }

core/auth/src/test/java/software/amazon/awssdk/auth/signer/Aws4SignerTest.java

@@ -412,4 +412,18 @@ public void TransferEncodingIsNotSigned_NotSigned() {
                       "SignedHeaders=host;x-amz-archive-description;x-amz-date, " +
                       "Signature=581d0042389009a28d461124138f1fe8eeb8daed87611d2a2b47fd3d68d81d73");
     }
+
+    @Test
+    public void XForwardedForIsNotSigned_NotSigned() {
+        AwsBasicCredentials credentials = AwsBasicCredentials.create("akid", "skid");
+        SdkHttpFullRequest.Builder request = generateBasicRequest();
+        request.putHeader("X-Forwarded-For", "127.0.0.1");
+
+        SdkHttpFullRequest actual = SignerTestUtils.signRequest(signer, request.build(), credentials, "demo", signingOverrideClock, "us-east-1");
+
+        assertThat(actual.firstMatchingHeader("Authorization"))
+            .hasValue("AWS4-HMAC-SHA256 Credential=akid/19810216/us-east-1/demo/aws4_request, " +
+                      "SignedHeaders=host;x-amz-archive-description;x-amz-date, " +
+                      "Signature=581d0042389009a28d461124138f1fe8eeb8daed87611d2a2b47fd3d68d81d73");
+    }
 }

core/auth/src/test/java/software/amazon/awssdk/auth/signer/internal/util/HeaderTransformsHelperTest.java

@@ -37,6 +37,7 @@ void shouldExcludeIgnoredHeadersWhenCanonicalizing() {
         headers.put("user-agent", Collections.singletonList("md/user"));
         headers.put("expect", Collections.singletonList("100-continue"));
         headers.put("transfer-encoding", Collections.singletonList("chunked"));
+        headers.put("x-forwarded-for", Collections.singletonList("127.0.0.1"));
 
         // Headers that should be included in signing
         headers.put("Content-Type", Collections.singletonList("application/json"));
@@ -56,6 +57,7 @@ void shouldExcludeIgnoredHeadersWhenCanonicalizing() {
         assertFalse(canonicalizedHeaders.containsKey("user-agent"), "Should not contain user-agent header");
         assertFalse(canonicalizedHeaders.containsKey("expect"), "Should not contain expect header");
         assertFalse(canonicalizedHeaders.containsKey("transfer-encoding"), "Should not contain transfer-encoding header");
+        assertFalse(canonicalizedHeaders.containsKey("x-forwarded-for"), "Should not contain x-forwarded-for header");
     }
 
 }

core/http-auth-aws/src/main/java/software/amazon/awssdk/http/auth/aws/internal/signer/V4CanonicalRequest.java

@@ -43,7 +43,7 @@
 @Immutable
 public final class V4CanonicalRequest {
     private static final List<String> HEADERS_TO_IGNORE_IN_LOWER_CASE =
-        Arrays.asList("connection", "x-amzn-trace-id", "user-agent", "expect", "transfer-encoding");
+        Arrays.asList("connection", "x-amzn-trace-id", "user-agent", "expect", "transfer-encoding", "x-forwarded-for");
 
     private final SdkHttpRequest request;
     private final String contentHash;

core/http-auth-aws/src/test/java/software/amazon/awssdk/http/auth/aws/internal/signer/V4CanonicalRequestTest.java

@@ -85,6 +85,7 @@ public void canonicalRequest_WithForbiddenHeaders_shouldExcludeForbidden() {
                                                .putHeader("foo", "bar")
                                                .putHeader("x-amzn-trace-id", "wontBePresent")
                                                .putHeader("Transfer-Encoding", "wontBePresent")
+                                               .putHeader("X-Forwarded-For", "wontBePresent")
                                                .build();
         V4CanonicalRequest cr = new V4CanonicalRequest(request, "sha-256",
                                                        new V4CanonicalRequest.Options(true,