From 63df177210839242c771c5c29684bd5253ef1aec Mon Sep 17 00:00:00 2001
From: Chi Wang <chiwang@google.com>
Date: Mon, 10 Oct 2022 06:28:26 -0700
Subject: [PATCH] Update GrpcRemoteDownloader to only include relevant headers.

Fixes https://github.com/bazelbuild/bazel/security/advisories/GHSA-mxr8-q875-rhwq.

RELNOTES[INC]: GrpcRemoteDownloader only includes relevant headers instead of sending all credentials.

Closes #16439.

PiperOrigin-RevId: 480069164
Change-Id: I49950311c04d1997d26832431d531a9036efdb18
---
 .../remote/downloader/GrpcRemoteDownloader.java   | 15 ++++++++++++---
 .../downloader/GrpcRemoteDownloaderTest.java      |  6 ------
 2 files changed, 12 insertions(+), 9 deletions(-)

diff --git a/src/main/java/com/google/devtools/build/lib/remote/downloader/GrpcRemoteDownloader.java b/src/main/java/com/google/devtools/build/lib/remote/downloader/GrpcRemoteDownloader.java
index 43b2316de00063..d94efdc0c60899 100644
--- a/src/main/java/com/google/devtools/build/lib/remote/downloader/GrpcRemoteDownloader.java
+++ b/src/main/java/com/google/devtools/build/lib/remote/downloader/GrpcRemoteDownloader.java
@@ -23,6 +23,7 @@
 import build.bazel.remote.execution.v2.RequestMetadata;
 import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.Strings;
+import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.Iterables;
 import com.google.devtools.build.lib.bazel.repository.downloader.Checksum;
 import com.google.devtools.build.lib.bazel.repository.downloader.Downloader;
@@ -198,7 +199,7 @@ static FetchBlobRequest newFetchBlobRequest(
       requestBuilder.addQualifiers(
           Qualifier.newBuilder()
               .setName(QUALIFIER_AUTH_HEADERS)
-              .setValue(authHeadersJson(authHeaders, includeAllHeaders))
+              .setValue(authHeadersJson(urls, authHeaders, includeAllHeaders))
               .build());
     }
 
@@ -225,9 +226,17 @@ private OutputStream newOutputStream(
   }
 
   private static String authHeadersJson(
-      Map<URI, Map<String, List<String>>> authHeaders, boolean includeAllHeaders) {
+      List<URL> urls, Map<URI, Map<String, List<String>>> authHeaders, boolean includeAllHeaders) {
+    ImmutableSet<String> hostSet =
+        urls.stream().map(URL::getHost).collect(ImmutableSet.toImmutableSet());
     Map<String, JsonObject> subObjects = new TreeMap<>();
     for (Map.Entry<URI, Map<String, List<String>>> entry : authHeaders.entrySet()) {
+      URI uri = entry.getKey();
+      // Only add headers that are relevant to the hosts.
+      if (!hostSet.contains(uri.getHost())) {
+        continue;
+      }
+
       JsonObject subObject = new JsonObject();
       Map<String, List<String>> orderedHeaders = new TreeMap<>(entry.getValue());
       for (Map.Entry<String, List<String>> subEntry : orderedHeaders.entrySet()) {
@@ -244,7 +253,7 @@ private static String authHeadersJson(
           }
         }
       }
-      subObjects.put(entry.getKey().toString(), subObject);
+      subObjects.put(uri.toString(), subObject);
     }
 
     JsonObject authHeadersJson = new JsonObject();
diff --git a/src/test/java/com/google/devtools/build/lib/remote/downloader/GrpcRemoteDownloaderTest.java b/src/test/java/com/google/devtools/build/lib/remote/downloader/GrpcRemoteDownloaderTest.java
index 62440310443cad..9ca60e4710bbae 100644
--- a/src/test/java/com/google/devtools/build/lib/remote/downloader/GrpcRemoteDownloaderTest.java
+++ b/src/test/java/com/google/devtools/build/lib/remote/downloader/GrpcRemoteDownloaderTest.java
@@ -371,9 +371,6 @@ public void testFetchBlobRequest() throws Exception {
             + "\"http://example.com\":{"
             + "\"Another-Header\":\"another header content\","
             + "\"Some-Header\":\"some header content\""
-            + "},"
-            + "\"http://example.org\":{"
-            + "\"Org-Header\":\"org header content\""
             + "}"
             + "}";
 
@@ -427,9 +424,6 @@ public void testFetchBlobRequestWithAllHeaders() throws Exception {
             + "\"http://example.com\":{"
             + "\"Another-Header\":[\"another header content\",\"even more header content\"],"
             + "\"Some-Header\":[\"some header content\"]"
-            + "},"
-            + "\"http://example.org\":{"
-            + "\"Org-Header\":[\"org header content\",\"and a second one\",\"and a third one\"]"
             + "}"
             + "}";