fix(mmds): Reject X-Forwarded-For in case-insensitive way

zulinx86 · zulinx86 · commit abc69476ef0e · 2025-07-16T12:33:49.000+01:00
As EC2 IMDS does, MMDS denies PUT requests if X-Forwarded-For header is
included, but it was validated only in a case-sensitive way. However, it
is defined that  HTTP headers are case-insensitive. We should deny it
regardless of its case.

Signed-off-by: Takahiro Itazuri &lt;itazur@amazon.com&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -69,6 +69,9 @@ and this project adheres to
 - [#4207](https://github.com/firecracker-microvm/firecracker/issues/4207): Fixed
   GSI numbering on aarch64 to correctly allow up to 96 devices being attached
   simultaneously.
+- [#5290](https://github.com/firecracker-microvm/firecracker/pull/5290): Fixed
+  MMDS to reject PUT requests containing `X-Forwarded-For` header regardless of
+  its casing (e.g. `x-forwarded-for`).
 
 ## [1.12.0]
 
diff --git a/src/vmm/src/mmds/mod.rs b/src/vmm/src/mmds/mod.rs
@@ -22,8 +22,9 @@ use crate::logger::{IncMetric, METRICS};
 use crate::mmds::data_store::{Mmds, MmdsDatastoreError as MmdsError, MmdsVersion, OutputFormat};
 use crate::mmds::token::PATH_TO_TOKEN;
 use crate::mmds::token_headers::{
-    REJECTED_HEADER, X_AWS_EC2_METADATA_TOKEN_HEADER, X_AWS_EC2_METADATA_TOKEN_SSL_SECONDS_HEADER,
-    X_METADATA_TOKEN_HEADER, X_METADATA_TOKEN_TTL_SECONDS_HEADER, get_header_value_pair,
+    X_AWS_EC2_METADATA_TOKEN_HEADER, X_AWS_EC2_METADATA_TOKEN_SSL_SECONDS_HEADER,
+    X_FORWARDED_FOR_HEADER, X_METADATA_TOKEN_HEADER, X_METADATA_TOKEN_TTL_SECONDS_HEADER,
+    get_header_value_pair,
 };
 
 #[rustfmt::skip]
@@ -242,11 +243,10 @@ fn respond_to_put_request(mmds: &mut Mmds, request: Request) -> Response {
     let custom_headers = request.headers.custom_entries();
 
     // Reject `PUT` requests that contain `X-Forwarded-For` header.
-    if custom_headers.contains_key(REJECTED_HEADER) {
-        let error_msg = RequestError::HeaderError(HttpHeaderError::UnsupportedName(
-            REJECTED_HEADER.to_string(),
-        ))
-        .to_string();
+    if let Some((header, _)) = get_header_value_pair(custom_headers, &[X_FORWARDED_FOR_HEADER]) {
+        let error_msg =
+            RequestError::HeaderError(HttpHeaderError::UnsupportedName(header.to_string()))
+                .to_string();
         return build_response(
             request.http_version(),
             StatusCode::BadRequest,
@@ -754,19 +754,25 @@ mod tests {
             assert_eq!(actual_response.content_type(), MediaType::PlainText);
 
             // Test unsupported `X-Forwarded-For` header
-            let request = Request::try_from(
-                b"PUT http://169.254.169.254/latest/api/token HTTP/1.0\r\n\
-                  X-Forwarded-For: 203.0.113.195\r\n\r\n",
-                None,
-            )
-            .unwrap();
-            let mut expected_response = Response::new(Version::Http10, StatusCode::BadRequest);
-            expected_response.set_content_type(MediaType::PlainText);
-            expected_response.set_body(Body::new(
-                "Invalid header. Reason: Unsupported header name. Key: X-Forwarded-For".to_string(),
-            ));
-            let actual_response = convert_to_response(mmds.clone(), request);
-            assert_eq!(actual_response, expected_response);
+            for header in ["X-Forwarded-For", "x-forwarded-for", "X-fOrWaRdEd-FoR"] {
+                #[rustfmt::skip]
+                let request = Request::try_from(
+                    format!(
+                        "PUT http://169.254.169.254/latest/api/token HTTP/1.0\r\n\
+                         {header}: 203.0.113.195\r\n\r\n"
+                    )
+                    .as_bytes(),
+                    None,
+                )
+                .unwrap();
+                let mut expected_response = Response::new(Version::Http10, StatusCode::BadRequest);
+                expected_response.set_content_type(MediaType::PlainText);
+                expected_response.set_body(Body::new(format!(
+                    "Invalid header. Reason: Unsupported header name. Key: {header}"
+                )));
+                let actual_response = convert_to_response(mmds.clone(), request);
+                assert_eq!(actual_response, expected_response);
+            }
 
             // Test invalid path
             let request = Request::try_from(
diff --git a/src/vmm/src/mmds/token_headers.rs b/src/vmm/src/mmds/token_headers.rs
@@ -3,9 +3,8 @@
 
 use std::collections::HashMap;
 
-/// Header rejected by MMDS.
-pub const REJECTED_HEADER: &str = "X-Forwarded-For";
-
+// `X-Forwarded-For`
+pub(crate) const X_FORWARDED_FOR_HEADER: &str = "x-forwarded-for";
 // `X-metadata-token`
 pub(crate) const X_METADATA_TOKEN_HEADER: &str = "x-metadata-token";
 // `X-aws-ec2-metadata-token`
