security: Remove insecure custom headers (#10244)

Background: https://github.com/google/security-research/security/advisories/GHSA-76wf-9vgp-pj7w Remove these custom headers from incoming and outgoing requests.
2025-11-07 12:52:58 -05:00 · 2020-08-11 08:29:29 -07:00
parent 9179cdfc9d
commit f8f290e848
8 changed files with 42 additions and 0 deletions
--- a/cmd/crypto/header.go
+++ b/cmd/crypto/header.go
@@ -21,6 +21,8 @@ import (
 	"encoding/json"
 	"net/http"
 	"strings"
+
+	xhttp "github.com/minio/minio/cmd/http"
 )

 // SSEHeader is the general AWS SSE HTTP header key.
@@ -81,6 +83,8 @@ const (
 func RemoveSensitiveHeaders(h http.Header) {
 	h.Del(SSECKey)
 	h.Del(SSECopyKey)
+	h.Del(xhttp.AmzMetaUnencryptedContentLength)
+	h.Del(xhttp.AmzMetaUnencryptedContentMD5)
 }

 // IsRequested returns true if the HTTP headers indicates
--- a/cmd/crypto/header_test.go
+++ b/cmd/crypto/header_test.go
@@ -457,6 +457,16 @@ var removeSensitiveHeadersTests = []struct {
 			"X-Amz-Meta-Test-1": []string{"Test-1"},
 		},
 	},
+	{ // https://github.com/google/security-research/security/advisories/GHSA-76wf-9vgp-pj7w
+		Header: http.Header{
+			"X-Amz-Meta-X-Amz-Unencrypted-Content-Md5":    []string{"value"},
+			"X-Amz-Meta-X-Amz-Unencrypted-Content-Length": []string{"value"},
+			"X-Amz-Meta-Test-1":                           []string{"Test-1"},
+		},
+		ExpectedHeader: http.Header{
+			"X-Amz-Meta-Test-1": []string{"Test-1"},
+		},
+	},
 }

 func TestRemoveSensitiveHeaders(t *testing.T) {
--- a/cmd/crypto/metadata.go
+++ b/cmd/crypto/metadata.go
@@ -19,6 +19,7 @@ import (
 	"encoding/base64"
 	"errors"

+	xhttp "github.com/minio/minio/cmd/http"
 	"github.com/minio/minio/cmd/logger"
 )

@@ -38,6 +39,8 @@ func IsMultiPart(metadata map[string]string) bool {
 func RemoveSensitiveEntries(metadata map[string]string) { // The functions is tested in TestRemoveSensitiveHeaders for compatibility reasons
 	delete(metadata, SSECKey)
 	delete(metadata, SSECopyKey)
+	delete(metadata, xhttp.AmzMetaUnencryptedContentLength)
+	delete(metadata, xhttp.AmzMetaUnencryptedContentMD5)
 }

 // RemoveSSEHeaders removes all crypto-specific SSE