fix(mmds): Reject X-Forwarded-For in case-insensitive way

As EC2 IMDS does, MMDS denies PUT requests if X-Forwarded-For header is
included, but it was validated only in a case-sensitive way. However, it
is defined that  HTTP headers are case-insensitive. We should deny it
regardless of its case.

Signed-off-by: Takahiro Itazuri <[email protected]>

Author: zulinx86

CHANGELOG.md

@@ -58,6 +58,9 @@ and this project adheres to
 - [#5260](https://github.com/firecracker-microvm/firecracker/pull/5260): Fixed a
   bug allowing the block device to starve all other devices when backed by a
   sufficiently slow drive.
+- [#XXXX](https://github.com/firecracker-microvm/firecracker/pull/XXXX): Fixed
+  MMDS to reject PUT requests containing `X-Forwarded-For` header regardless of
+  its casing (e.g. `x-forwarded-for`).
 
 ## [1.12.0]
 

src/vmm/src/mmds/mod.rs

@@ -235,11 +235,13 @@ fn respond_to_put_request(mmds: &mut Mmds, request: Request) -> Response {
     let custom_headers = request.headers.custom_entries();
 
     // Reject `PUT` requests that contain `X-Forwarded-For` header.
-    if custom_headers.contains_key(REJECTED_HEADER) {
-        let error_msg = RequestError::HeaderError(HttpHeaderError::UnsupportedName(
-            REJECTED_HEADER.to_string(),
-        ))
-        .to_string();
+    if let Some((header, __)) = custom_headers
+        .iter()
+        .find(|(k, _)| k.to_lowercase() == REJECTED_HEADER)
+    {
+        let error_msg =
+            RequestError::HeaderError(HttpHeaderError::UnsupportedName(header.to_string()))
+                .to_string();
         return build_response(
             request.http_version(),
             StatusCode::BadRequest,
@@ -733,19 +735,25 @@ mod tests {
             assert_eq!(actual_response.content_type(), MediaType::PlainText);
 
             // Test unsupported `X-Forwarded-For` header
-            let request = Request::try_from(
-                b"PUT http://169.254.169.254/latest/api/token HTTP/1.0\r\n\
-                  X-Forwarded-For: 203.0.113.195\r\n\r\n",
-                None,
-            )
-            .unwrap();
-            let mut expected_response = Response::new(Version::Http10, StatusCode::BadRequest);
-            expected_response.set_content_type(MediaType::PlainText);
-            expected_response.set_body(Body::new(
-                "Invalid header. Reason: Unsupported header name. Key: X-Forwarded-For".to_string(),
-            ));
-            let actual_response = convert_to_response(mmds.clone(), request);
-            assert_eq!(actual_response, expected_response);
+            for header in ["X-Forwarded-For", "x-forwarded-for", "X-fOrWaRdEd-FoR"] {
+                #[rustfmt::skip]
+                let request = Request::try_from(
+                    format!(
+                        "PUT http://169.254.169.254/latest/api/token HTTP/1.0\r\n\
+                         {header}: 203.0.113.195\r\n\r\n"
+                    )
+                    .as_bytes(),
+                    None,
+                )
+                .unwrap();
+                let mut expected_response = Response::new(Version::Http10, StatusCode::BadRequest);
+                expected_response.set_content_type(MediaType::PlainText);
+                expected_response.set_body(Body::new(format!(
+                    "Invalid header. Reason: Unsupported header name. Key: {header}"
+                )));
+                let actual_response = convert_to_response(mmds.clone(), request);
+                assert_eq!(actual_response, expected_response);
+            }
 
             // Test invalid path
             let request = Request::try_from(

src/vmm/src/mmds/token_headers.rs

@@ -7,7 +7,8 @@ use std::result::Result;
 use micro_http::{HttpHeaderError, RequestError};
 
 /// Header rejected by MMDS.
-pub const REJECTED_HEADER: &str = "X-Forwarded-For";
+/// Defined in lowercase since HTTP headers are case-insensitive.
+pub const REJECTED_HEADER: &str = "x-forwarded-for";
 
 /// `X-metadata-token` header might be used by HTTP clients to specify a token in order to
 /// authenticate to the session. This is used for GET requests issued by the guest to MMDS only.