From 17cb6f8d54b8e8bdd1b512ea43fd2cc62475d07c Mon Sep 17 00:00:00 2001
From: robertd <robert.djurasaj@gmail.com>
Date: Thu, 4 Mar 2021 23:10:26 -0700
Subject: [PATCH 1/2] chore(cloudfront): check size of Origin Request headers
 and prevent forbidden values

---
 .../lib/origin-request-policy.ts              |  8 ++++++-
 .../test/origin-request-policy.test.ts        | 23 +++++++++++++++++++
 2 files changed, 30 insertions(+), 1 deletion(-)

diff --git a/packages/@aws-cdk/aws-cloudfront/lib/origin-request-policy.ts b/packages/@aws-cdk/aws-cloudfront/lib/origin-request-policy.ts
index 3d45cf2bc56fb..4bd68842c2646 100644
--- a/packages/@aws-cdk/aws-cloudfront/lib/origin-request-policy.ts
+++ b/packages/@aws-cdk/aws-cloudfront/lib/origin-request-policy.ts
@@ -121,7 +121,7 @@ export class OriginRequestPolicy extends Resource implements IOriginRequestPolic
 }
 
 /**
- * Ddetermines whether any cookies in viewer requests (and if so, which cookies)
+ * Determines whether any cookies in viewer requests (and if so, which cookies)
  * are included in requests that CloudFront sends to the origin.
  */
 export class OriginRequestCookieBehavior {
@@ -184,6 +184,12 @@ export class OriginRequestHeaderBehavior {
     if (headers.length === 0) {
       throw new Error('At least one header to allow must be provided');
     }
+    if (headers.length > 10) {
+      throw new Error(`Maximum allowed headers in Origin Request Policy is 10; got ${headers.length}.`);
+    }
+    if (/Authorization/i.test(headers.join('|')) || /Accept-Encoding/i.test(headers.join('|'))) {
+      throw new Error('You cannot pass `Authorization` or `Accept-Encoding` as header values.');
+    }
     return new OriginRequestHeaderBehavior('whitelist', headers);
   }
 
diff --git a/packages/@aws-cdk/aws-cloudfront/test/origin-request-policy.test.ts b/packages/@aws-cdk/aws-cloudfront/test/origin-request-policy.test.ts
index e719225c4845c..7256e6ccff4cc 100644
--- a/packages/@aws-cdk/aws-cloudfront/test/origin-request-policy.test.ts
+++ b/packages/@aws-cdk/aws-cloudfront/test/origin-request-policy.test.ts
@@ -77,6 +77,29 @@ describe('OriginRequestPolicy', () => {
     expect(() => new OriginRequestPolicy(stack, 'OriginRequestPolicy6', { originRequestPolicyName: 'My_Policy' })).not.toThrow();
   });
 
+  test('throws if prohibited headers are being passed', () => {
+    const errorMessage = /You cannot pass `Authorization` or `Accept-Encoding` as header values./;
+    expect(() => new OriginRequestPolicy(stack, 'OriginRequestPolicy1', { headerBehavior: OriginRequestHeaderBehavior.allowList('Authorization') })).toThrow(errorMessage);
+    expect(() => new OriginRequestPolicy(stack, 'OriginRequestPolicy2', { headerBehavior: OriginRequestHeaderBehavior.allowList('Accept-Encoding') })).toThrow(errorMessage);
+    expect(() => new OriginRequestPolicy(stack, 'OriginRequestPolicy3', { headerBehavior: OriginRequestHeaderBehavior.allowList('authorization') })).toThrow(errorMessage);
+    expect(() => new OriginRequestPolicy(stack, 'OriginRequestPolicy4', { headerBehavior: OriginRequestHeaderBehavior.allowList('accept-encoding') })).toThrow(errorMessage);
+    expect(() => new OriginRequestPolicy(stack, 'OriginRequestPolicy5', { headerBehavior: OriginRequestHeaderBehavior.allowList('Foo', 'Authorization', 'Bar') })).toThrow(errorMessage);
+    expect(() => new OriginRequestPolicy(stack, 'OriginRequestPolicy6', { headerBehavior: OriginRequestHeaderBehavior.allowList('Foo', 'Accept-Encoding', 'Bar') })).toThrow(errorMessage);
+
+    expect(() => new OriginRequestPolicy(stack, 'OriginRequestPolicy7', { headerBehavior: OriginRequestHeaderBehavior.allowList('Foo', 'Bar') })).not.toThrow();
+  });
+
+  test('throws if more than 10 OriginRequestHeaderBehavior headers are being passed', () => {
+    const errorMessage = /Maximum allowed headers in Origin Request Policy is 10; got (.*?)/;
+    expect(() => new OriginRequestPolicy(stack, 'OriginRequestPolicy1', {
+      headerBehavior: OriginRequestHeaderBehavior.allowList('Lorem', 'ipsum', 'dolor', 'sit', 'amet', 'consectetur', 'adipiscing', 'elit', 'sed', 'do', 'eiusmod'),
+    })).toThrow(errorMessage);
+
+    expect(() => new OriginRequestPolicy(stack, 'OriginRequestPolicy2', {
+      headerBehavior: OriginRequestHeaderBehavior.allowList('Lorem', 'ipsum', 'dolor', 'sit', 'amet', 'consectetur', 'adipiscing', 'elit', 'sed', 'do'),
+    })).not.toThrow();
+  });
+
   test('does not throw if originRequestPolicyName is a token', () => {
     expect(() => new OriginRequestPolicy(stack, 'CachePolicy', {
       originRequestPolicyName: Aws.STACK_NAME,

From 4d27f2f7e15bf1189fcdb2108e05ee35d43978e6 Mon Sep 17 00:00:00 2001
From: Nick Lynch <nlynch@amazon.com>
Date: Fri, 5 Mar 2021 10:11:06 +0000
Subject: [PATCH 2/2] Refer users to CachePolicy in error message

---
 packages/@aws-cdk/aws-cloudfront/lib/origin-request-policy.ts   | 2 +-
 .../@aws-cdk/aws-cloudfront/test/origin-request-policy.test.ts  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/packages/@aws-cdk/aws-cloudfront/lib/origin-request-policy.ts b/packages/@aws-cdk/aws-cloudfront/lib/origin-request-policy.ts
index 4bd68842c2646..17e7894e6e84e 100644
--- a/packages/@aws-cdk/aws-cloudfront/lib/origin-request-policy.ts
+++ b/packages/@aws-cdk/aws-cloudfront/lib/origin-request-policy.ts
@@ -188,7 +188,7 @@ export class OriginRequestHeaderBehavior {
       throw new Error(`Maximum allowed headers in Origin Request Policy is 10; got ${headers.length}.`);
     }
     if (/Authorization/i.test(headers.join('|')) || /Accept-Encoding/i.test(headers.join('|'))) {
-      throw new Error('You cannot pass `Authorization` or `Accept-Encoding` as header values.');
+      throw new Error('you cannot pass `Authorization` or `Accept-Encoding` as header values; use a CachePolicy to forward these headers instead');
     }
     return new OriginRequestHeaderBehavior('whitelist', headers);
   }
diff --git a/packages/@aws-cdk/aws-cloudfront/test/origin-request-policy.test.ts b/packages/@aws-cdk/aws-cloudfront/test/origin-request-policy.test.ts
index 7256e6ccff4cc..b342ac434e48e 100644
--- a/packages/@aws-cdk/aws-cloudfront/test/origin-request-policy.test.ts
+++ b/packages/@aws-cdk/aws-cloudfront/test/origin-request-policy.test.ts
@@ -78,7 +78,7 @@ describe('OriginRequestPolicy', () => {
   });
 
   test('throws if prohibited headers are being passed', () => {
-    const errorMessage = /You cannot pass `Authorization` or `Accept-Encoding` as header values./;
+    const errorMessage = /you cannot pass `Authorization` or `Accept-Encoding` as header values/;
     expect(() => new OriginRequestPolicy(stack, 'OriginRequestPolicy1', { headerBehavior: OriginRequestHeaderBehavior.allowList('Authorization') })).toThrow(errorMessage);
     expect(() => new OriginRequestPolicy(stack, 'OriginRequestPolicy2', { headerBehavior: OriginRequestHeaderBehavior.allowList('Accept-Encoding') })).toThrow(errorMessage);
     expect(() => new OriginRequestPolicy(stack, 'OriginRequestPolicy3', { headerBehavior: OriginRequestHeaderBehavior.allowList('authorization') })).toThrow(errorMessage);