diff --git a/.changes/next-release/bugfix-AWSSDKforJavav2-f4b7e4d.json b/.changes/next-release/bugfix-AWSSDKforJavav2-f4b7e4d.json new file mode 100644 index 000000000000..649a11930587 --- /dev/null +++ b/.changes/next-release/bugfix-AWSSDKforJavav2-f4b7e4d.json @@ -0,0 +1,6 @@ +{ + "type": "bugfix", + "category": "AWS SDK for Java v2", + "contributor": "brandondahler", + "description": "X-Forwarded-For headers will no longer be signed during SigV4 authentication" +} diff --git a/core/auth/src/main/java/software/amazon/awssdk/auth/signer/internal/AbstractAws4Signer.java b/core/auth/src/main/java/software/amazon/awssdk/auth/signer/internal/AbstractAws4Signer.java index efced8dfd3d1..ff4921bbd217 100644 --- a/core/auth/src/main/java/software/amazon/awssdk/auth/signer/internal/AbstractAws4Signer.java +++ b/core/auth/src/main/java/software/amazon/awssdk/auth/signer/internal/AbstractAws4Signer.java @@ -68,7 +68,7 @@ public abstract class AbstractAws4Signer SIGNER_CACHE = new FifoCache<>(SIGNER_CACHE_MAX_SIZE); private static final List LIST_OF_HEADERS_TO_IGNORE_IN_LOWER_CASE = - Arrays.asList("connection", "x-amzn-trace-id", "user-agent", "expect", "transfer-encoding"); + Arrays.asList("connection", "x-amzn-trace-id", "user-agent", "expect", "transfer-encoding", "x-forwarded-for"); protected SdkHttpFullRequest.Builder doSign(SdkHttpFullRequest request, Aws4SignerRequestParams requestParams, diff --git a/core/auth/src/main/java/software/amazon/awssdk/auth/signer/internal/util/HeaderTransformsHelper.java b/core/auth/src/main/java/software/amazon/awssdk/auth/signer/internal/util/HeaderTransformsHelper.java index cb6460e31866..8998e98b5593 100644 --- a/core/auth/src/main/java/software/amazon/awssdk/auth/signer/internal/util/HeaderTransformsHelper.java +++ b/core/auth/src/main/java/software/amazon/awssdk/auth/signer/internal/util/HeaderTransformsHelper.java @@ -32,7 +32,7 @@ public final class HeaderTransformsHelper { private static final List LIST_OF_HEADERS_TO_IGNORE_IN_LOWER_CASE = - Arrays.asList("connection", "x-amzn-trace-id", "user-agent", "expect", "transfer-encoding"); + Arrays.asList("connection", "x-amzn-trace-id", "user-agent", "expect", "transfer-encoding", "x-forwarded-for"); private HeaderTransformsHelper() { } diff --git a/core/auth/src/test/java/software/amazon/awssdk/auth/signer/Aws4SignerTest.java b/core/auth/src/test/java/software/amazon/awssdk/auth/signer/Aws4SignerTest.java index fb8b308db303..cfbf3263f0a6 100644 --- a/core/auth/src/test/java/software/amazon/awssdk/auth/signer/Aws4SignerTest.java +++ b/core/auth/src/test/java/software/amazon/awssdk/auth/signer/Aws4SignerTest.java @@ -412,4 +412,18 @@ public void TransferEncodingIsNotSigned_NotSigned() { "SignedHeaders=host;x-amz-archive-description;x-amz-date, " + "Signature=581d0042389009a28d461124138f1fe8eeb8daed87611d2a2b47fd3d68d81d73"); } + + @Test + public void XForwardedForIsNotSigned_NotSigned() { + AwsBasicCredentials credentials = AwsBasicCredentials.create("akid", "skid"); + SdkHttpFullRequest.Builder request = generateBasicRequest(); + request.putHeader("X-Forwarded-For", "127.0.0.1"); + + SdkHttpFullRequest actual = SignerTestUtils.signRequest(signer, request.build(), credentials, "demo", signingOverrideClock, "us-east-1"); + + assertThat(actual.firstMatchingHeader("Authorization")) + .hasValue("AWS4-HMAC-SHA256 Credential=akid/19810216/us-east-1/demo/aws4_request, " + + "SignedHeaders=host;x-amz-archive-description;x-amz-date, " + + "Signature=581d0042389009a28d461124138f1fe8eeb8daed87611d2a2b47fd3d68d81d73"); + } } \ No newline at end of file diff --git a/core/auth/src/test/java/software/amazon/awssdk/auth/signer/internal/util/HeaderTransformsHelperTest.java b/core/auth/src/test/java/software/amazon/awssdk/auth/signer/internal/util/HeaderTransformsHelperTest.java index 253a51c5661f..dc24664353f3 100644 --- a/core/auth/src/test/java/software/amazon/awssdk/auth/signer/internal/util/HeaderTransformsHelperTest.java +++ b/core/auth/src/test/java/software/amazon/awssdk/auth/signer/internal/util/HeaderTransformsHelperTest.java @@ -37,6 +37,7 @@ void shouldExcludeIgnoredHeadersWhenCanonicalizing() { headers.put("user-agent", Collections.singletonList("md/user")); headers.put("expect", Collections.singletonList("100-continue")); headers.put("transfer-encoding", Collections.singletonList("chunked")); + headers.put("x-forwarded-for", Collections.singletonList("127.0.0.1")); // Headers that should be included in signing headers.put("Content-Type", Collections.singletonList("application/json")); @@ -56,6 +57,7 @@ void shouldExcludeIgnoredHeadersWhenCanonicalizing() { assertFalse(canonicalizedHeaders.containsKey("user-agent"), "Should not contain user-agent header"); assertFalse(canonicalizedHeaders.containsKey("expect"), "Should not contain expect header"); assertFalse(canonicalizedHeaders.containsKey("transfer-encoding"), "Should not contain transfer-encoding header"); + assertFalse(canonicalizedHeaders.containsKey("x-forwarded-for"), "Should not contain x-forwarded-for header"); } } diff --git a/core/http-auth-aws/src/main/java/software/amazon/awssdk/http/auth/aws/internal/signer/V4CanonicalRequest.java b/core/http-auth-aws/src/main/java/software/amazon/awssdk/http/auth/aws/internal/signer/V4CanonicalRequest.java index ea9794da5470..4c3501a8ed6a 100644 --- a/core/http-auth-aws/src/main/java/software/amazon/awssdk/http/auth/aws/internal/signer/V4CanonicalRequest.java +++ b/core/http-auth-aws/src/main/java/software/amazon/awssdk/http/auth/aws/internal/signer/V4CanonicalRequest.java @@ -43,7 +43,7 @@ @Immutable public final class V4CanonicalRequest { private static final List HEADERS_TO_IGNORE_IN_LOWER_CASE = - Arrays.asList("connection", "x-amzn-trace-id", "user-agent", "expect", "transfer-encoding"); + Arrays.asList("connection", "x-amzn-trace-id", "user-agent", "expect", "transfer-encoding", "x-forwarded-for"); private final SdkHttpRequest request; private final String contentHash; diff --git a/core/http-auth-aws/src/test/java/software/amazon/awssdk/http/auth/aws/internal/signer/V4CanonicalRequestTest.java b/core/http-auth-aws/src/test/java/software/amazon/awssdk/http/auth/aws/internal/signer/V4CanonicalRequestTest.java index baadbac5f56e..aac795f2f0dc 100644 --- a/core/http-auth-aws/src/test/java/software/amazon/awssdk/http/auth/aws/internal/signer/V4CanonicalRequestTest.java +++ b/core/http-auth-aws/src/test/java/software/amazon/awssdk/http/auth/aws/internal/signer/V4CanonicalRequestTest.java @@ -85,6 +85,7 @@ public void canonicalRequest_WithForbiddenHeaders_shouldExcludeForbidden() { .putHeader("foo", "bar") .putHeader("x-amzn-trace-id", "wontBePresent") .putHeader("Transfer-Encoding", "wontBePresent") + .putHeader("X-Forwarded-For", "wontBePresent") .build(); V4CanonicalRequest cr = new V4CanonicalRequest(request, "sha-256", new V4CanonicalRequest.Options(true,