chore(cloudfront): check size of Origin Request headers and prevent f…

…orbidden values (aws#13410)

This PR checks the size of Origin Request headers and prevents forbidden values (`Authorization` or `Accept-Encoding`).

Closes aws#13408


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

packages/@aws-cdk/aws-cloudfront/lib/origin-request-policy.ts

@@ -121,7 +121,7 @@ export class OriginRequestPolicy extends Resource implements IOriginRequestPolic
 }
 
 /**
- * Ddetermines whether any cookies in viewer requests (and if so, which cookies)
+ * Determines whether any cookies in viewer requests (and if so, which cookies)
  * are included in requests that CloudFront sends to the origin.
  */
 export class OriginRequestCookieBehavior {
@@ -184,6 +184,12 @@ export class OriginRequestHeaderBehavior {
     if (headers.length === 0) {
       throw new Error('At least one header to allow must be provided');
     }
+    if (headers.length > 10) {
+      throw new Error(`Maximum allowed headers in Origin Request Policy is 10; got ${headers.length}.`);
+    }
+    if (/Authorization/i.test(headers.join('|')) || /Accept-Encoding/i.test(headers.join('|'))) {
+      throw new Error('you cannot pass `Authorization` or `Accept-Encoding` as header values; use a CachePolicy to forward these headers instead');
+    }
     return new OriginRequestHeaderBehavior('whitelist', headers);
   }
 

packages/@aws-cdk/aws-cloudfront/test/origin-request-policy.test.ts

@@ -77,6 +77,29 @@ describe('OriginRequestPolicy', () => {
     expect(() => new OriginRequestPolicy(stack, 'OriginRequestPolicy6', { originRequestPolicyName: 'My_Policy' })).not.toThrow();
   });
 
+  test('throws if prohibited headers are being passed', () => {
+    const errorMessage = /you cannot pass `Authorization` or `Accept-Encoding` as header values/;
+    expect(() => new OriginRequestPolicy(stack, 'OriginRequestPolicy1', { headerBehavior: OriginRequestHeaderBehavior.allowList('Authorization') })).toThrow(errorMessage);
+    expect(() => new OriginRequestPolicy(stack, 'OriginRequestPolicy2', { headerBehavior: OriginRequestHeaderBehavior.allowList('Accept-Encoding') })).toThrow(errorMessage);
+    expect(() => new OriginRequestPolicy(stack, 'OriginRequestPolicy3', { headerBehavior: OriginRequestHeaderBehavior.allowList('authorization') })).toThrow(errorMessage);
+    expect(() => new OriginRequestPolicy(stack, 'OriginRequestPolicy4', { headerBehavior: OriginRequestHeaderBehavior.allowList('accept-encoding') })).toThrow(errorMessage);
+    expect(() => new OriginRequestPolicy(stack, 'OriginRequestPolicy5', { headerBehavior: OriginRequestHeaderBehavior.allowList('Foo', 'Authorization', 'Bar') })).toThrow(errorMessage);
+    expect(() => new OriginRequestPolicy(stack, 'OriginRequestPolicy6', { headerBehavior: OriginRequestHeaderBehavior.allowList('Foo', 'Accept-Encoding', 'Bar') })).toThrow(errorMessage);
+
+    expect(() => new OriginRequestPolicy(stack, 'OriginRequestPolicy7', { headerBehavior: OriginRequestHeaderBehavior.allowList('Foo', 'Bar') })).not.toThrow();
+  });
+
+  test('throws if more than 10 OriginRequestHeaderBehavior headers are being passed', () => {
+    const errorMessage = /Maximum allowed headers in Origin Request Policy is 10; got (.*?)/;
+    expect(() => new OriginRequestPolicy(stack, 'OriginRequestPolicy1', {
+      headerBehavior: OriginRequestHeaderBehavior.allowList('Lorem', 'ipsum', 'dolor', 'sit', 'amet', 'consectetur', 'adipiscing', 'elit', 'sed', 'do', 'eiusmod'),
+    })).toThrow(errorMessage);
+
+    expect(() => new OriginRequestPolicy(stack, 'OriginRequestPolicy2', {
+      headerBehavior: OriginRequestHeaderBehavior.allowList('Lorem', 'ipsum', 'dolor', 'sit', 'amet', 'consectetur', 'adipiscing', 'elit', 'sed', 'do'),
+    })).not.toThrow();
+  });
+
   test('does not throw if originRequestPolicyName is a token', () => {
     expect(() => new OriginRequestPolicy(stack, 'CachePolicy', {
       originRequestPolicyName: Aws.STACK_NAME,