fix: prevent panic when sanitize is enabled without forwardClientIDHe… (#7162)

guoard · web-flow · commit cdf70372a77c · 2025-10-08T16:38:41.000-07:00
fix: prevent panic when sanitize is enabled without forwardClientIDHeader

Signed-off-by: Ali Afsharzadeh &lt;afsharzadeh8@gmail.com&gt;
diff --git a/internal/xds/translator/api_key_auth.go b/internal/xds/translator/api_key_auth.go
@@ -160,8 +160,8 @@ func buildAPIKeyAuthFilterConfig(apiKeyAuth *ir.APIKeyAuth) *apikeyauthv3.ApiKey
 	sanitize := ptr.Deref(apiKeyAuth.Sanitize, false)
 	if clientIDHeader != "" || sanitize {
 		apiKeyAuthProto.Forwarding = &apikeyauthv3.Forwarding{
-			Header:          *apiKeyAuth.ForwardClientIDHeader,
-			HideCredentials: ptr.Deref(apiKeyAuth.Sanitize, false),
+			Header:          clientIDHeader,
+			HideCredentials: sanitize,
 		}
 	}
 
diff --git a/release-notes/current.yaml b/release-notes/current.yaml
@@ -32,6 +32,7 @@ bug fixes: |
   Fixed service account token handling in GatewayNamespaceMode to use SDS for properly refreshing expired token.
   Fixed handling of regex meta characters in prefix match replace for URL rewrite.
   Disabled the default emission of `x-envoy-ratelimited` headers from the rate limit filter; re-enable with the `enableEnvoyHeaders` setting in ClientTrafficPolicy.
+  Fixed a nil pointer panic in the XDS translator when building API key authentication filter configurations with `sanitize` enabled and no `forwardClientIDHeader` set.
   Truncated Gateway API status condition messages to stay within Kubernetes limits and prevent update failures.
 
 # Enhancements that improve performance.
diff --git a/test/e2e/testdata/api-key-auth.yaml b/test/e2e/testdata/api-key-auth.yaml
@@ -167,3 +167,37 @@ spec:
     credentialRefs:
       - name: "api-key-auth-users-secret-1"
       - name: "api-key-auth-users-secret-2"
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: http-with-api-key-auth-header-sanitized-without-forward-client-id-header
+  namespace: gateway-conformance-infra
+spec:
+  parentRefs:
+    - name: same-namespace
+  rules:
+    - matches:
+        - path:
+            type: Exact
+            value: /api-key-auth-header-sanitized
+      backendRefs:
+        - name: infra-backend-v1
+          port: 8080
+---
+apiVersion: gateway.envoyproxy.io/v1alpha1
+kind: SecurityPolicy
+metadata:
+  name: api-key-auth-header-sanitized-without-forward-client-id-header
+  namespace: gateway-conformance-infra
+spec:
+  targetRefs:
+    - group: gateway.networking.k8s.io
+      kind: HTTPRoute
+      name: http-with-api-key-auth-header-sanitized-without-forward-client-id-header
+  apiKeyAuth:
+    extractFrom:
+      - headers: ["X-API-KEY"]
+    credentialRefs:
+      - name: "api-key-auth-users-secret-1"
+    sanitize: true
diff --git a/test/e2e/tests/api_key_auth.go b/test/e2e/tests/api_key_auth.go
@@ -209,6 +209,56 @@ var APIKeyAuthTest = suite.ConformanceTest{
 				Namespace: ns,
 			}
 
+			http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, expectedResponse)
+		})
+		t.Run("api-key auth with header sanitized without forward client id header", func(t *testing.T) {
+			ns := "gateway-conformance-infra"
+			routeNN := types.NamespacedName{Name: "http-with-api-key-auth-header-sanitized-without-forward-client-id-header", Namespace: ns}
+			gwNN := types.NamespacedName{Name: "same-namespace", Namespace: ns}
+			gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN)
+
+			ancestorRef := gwapiv1a2.ParentReference{
+				Group:     gatewayapi.GroupPtr(gwapiv1.GroupName),
+				Kind:      gatewayapi.KindPtr(resource.KindGateway),
+				Namespace: gatewayapi.NamespacePtr(gwNN.Namespace),
+				Name:      gwapiv1.ObjectName(gwNN.Name),
+			}
+			SecurityPolicyMustBeAccepted(t, suite.Client, types.NamespacedName{Name: "api-key-auth-header-sanitized-without-forward-client-id-header", Namespace: ns}, suite.ControllerName, ancestorRef)
+
+			expectedResponse := http.ExpectedResponse{
+				Request: http.Request{
+					Path: "/api-key-auth-header-sanitized",
+					Headers: map[string]string{
+						"X-API-KEY": "key1",
+					},
+				},
+				ExpectedRequest: &http.ExpectedRequest{
+					Request: http.Request{
+						Path: "/api-key-auth-header-sanitized",
+					},
+					AbsentHeaders: []string{"X-API-KEY"},
+				},
+				Response: http.Response{
+					StatusCode: 200,
+				},
+				Namespace: ns,
+			}
+
+			http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, expectedResponse)
+
+			expectedResponse = http.ExpectedResponse{
+				Request: http.Request{
+					Path: "/api-key-auth-header-sanitized",
+					Headers: map[string]string{
+						"X-API-KEY": "invalid",
+					},
+				},
+				Response: http.Response{
+					StatusCode: 401,
+				},
+				Namespace: ns,
+			}
+
 			http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, expectedResponse)
 		})
 	},

Original file line number	Diff line number	Diff line change
`@@ -160,8 +160,8 @@ func buildAPIKeyAuthFilterConfig(apiKeyAuth ir.APIKeyAuth) apikeyauthv3.ApiKey`
`160`	`160`	`sanitize := ptr.Deref(apiKeyAuth.Sanitize, false)`
`161`	`161`	`if clientIDHeader != "" \|\| sanitize {`
`162`	`162`	`apiKeyAuthProto.Forwarding = &apikeyauthv3.Forwarding{`
`163`		`- Header: *apiKeyAuth.ForwardClientIDHeader,`
`164`		`- HideCredentials: ptr.Deref(apiKeyAuth.Sanitize, false),`
	`163`	`+ Header: clientIDHeader,`
	`164`	`+ HideCredentials: sanitize,`
`165`	`165`	`}`
`166`	`166`	`}`
`167`	`167`