From 17002b168847a36852f4ebda5e8e2e583c27bfb3 Mon Sep 17 00:00:00 2001
From: Tommy Markley <markleyt@amazon.com>
Date: Wed, 30 Jun 2021 23:41:19 +0000
Subject: [PATCH] Removes `osd-name` from response headers

Addresses a potential security risk where the header could be used for
targeted attacks.

Signed-off-by: Tommy Markley <markleyt@amazon.com>
---
 .../lifecycle_handlers.test.ts                | 17 ++--------
 .../server/http/lifecycle_handlers.test.ts    | 34 -------------------
 src/core/server/http/lifecycle_handlers.ts    | 13 +------
 3 files changed, 4 insertions(+), 60 deletions(-)

diff --git a/src/core/server/http/integration_tests/lifecycle_handlers.test.ts b/src/core/server/http/integration_tests/lifecycle_handlers.test.ts
index 638ffbe131b9..1f03eb387f74 100644
--- a/src/core/server/http/integration_tests/lifecycle_handlers.test.ts
+++ b/src/core/server/http/integration_tests/lifecycle_handlers.test.ts
@@ -48,7 +48,6 @@ const pkg = require('../../../../../package.json');
 const actualVersion = pkg.version;
 const versionHeader = 'osd-version';
 const xsrfHeader = 'osd-xsrf';
-const nameHeader = 'osd-name';
 const whitelistedTestPath = '/xsrf/test/route/whitelisted';
 const xsrfDisabledTestPath = '/xsrf/test/route/disabled';
 const opensearchDashboardsName = 'my-opensearch-dashboards-name';
@@ -137,22 +136,12 @@ describe('core lifecycle handlers', () => {
       await server.start();
     });
 
-    it('adds the osd-name header', async () => {
+    it('does not add the osd-name header', async () => {
       const result = await supertest(innerServer.listener).get(testRoute).expect(200, 'ok');
       const headers = result.header as Record<string, string>;
       expect(headers).toEqual(
-        expect.objectContaining({
-          [nameHeader]: opensearchDashboardsName,
-        })
-      );
-    });
-
-    it('adds the osd-name header in case of error', async () => {
-      const result = await supertest(innerServer.listener).get(testErrorRoute).expect(400);
-      const headers = result.header as Record<string, string>;
-      expect(headers).toEqual(
-        expect.objectContaining({
-          [nameHeader]: opensearchDashboardsName,
+        expect.not.objectContaining({
+          'osd-name': opensearchDashboardsName,
         })
       );
     });
diff --git a/src/core/server/http/lifecycle_handlers.test.ts b/src/core/server/http/lifecycle_handlers.test.ts
index 3de9d14d566f..fcaca4f32b27 100644
--- a/src/core/server/http/lifecycle_handlers.test.ts
+++ b/src/core/server/http/lifecycle_handlers.test.ts
@@ -259,16 +259,6 @@ describe('customHeaders pre-response handler', () => {
     toolkit = httpServerMock.createToolkit();
   });
 
-  it('adds the osd-name header to the response', () => {
-    const config = createConfig({ name: 'my-server-name' });
-    const handler = createCustomHeadersPreResponseHandler(config as HttpConfig);
-
-    handler({} as any, {} as any, toolkit);
-
-    expect(toolkit.next).toHaveBeenCalledTimes(1);
-    expect(toolkit.next).toHaveBeenCalledWith({ headers: { 'osd-name': 'my-server-name' } });
-  });
-
   it('adds the custom headers defined in the configuration', () => {
     const config = createConfig({
       name: 'my-server-name',
@@ -284,30 +274,6 @@ describe('customHeaders pre-response handler', () => {
     expect(toolkit.next).toHaveBeenCalledTimes(1);
     expect(toolkit.next).toHaveBeenCalledWith({
       headers: {
-        'osd-name': 'my-server-name',
-        headerA: 'value-A',
-        headerB: 'value-B',
-      },
-    });
-  });
-
-  it('preserve the osd-name value from server.name if definied in custom headders ', () => {
-    const config = createConfig({
-      name: 'my-server-name',
-      customResponseHeaders: {
-        'osd-name': 'custom-name',
-        headerA: 'value-A',
-        headerB: 'value-B',
-      },
-    });
-    const handler = createCustomHeadersPreResponseHandler(config as HttpConfig);
-
-    handler({} as any, {} as any, toolkit);
-
-    expect(toolkit.next).toHaveBeenCalledTimes(1);
-    expect(toolkit.next).toHaveBeenCalledWith({
-      headers: {
-        'osd-name': 'my-server-name',
         headerA: 'value-A',
         headerB: 'value-B',
       },
diff --git a/src/core/server/http/lifecycle_handlers.ts b/src/core/server/http/lifecycle_handlers.ts
index 56d57bafe0ae..bba51804c302 100644
--- a/src/core/server/http/lifecycle_handlers.ts
+++ b/src/core/server/http/lifecycle_handlers.ts
@@ -39,7 +39,6 @@ import { LifecycleRegistrar } from './http_server';
 
 const VERSION_HEADER = 'osd-version';
 const XSRF_HEADER = 'osd-xsrf';
-const OPENSEARCH_DASHBOARDS_NAME_HEADER = 'osd-name';
 
 export const createXsrfPostAuthHandler = (config: HttpConfig): OnPostAuthHandler => {
   const { whitelist, disableProtection } = config.xsrf;
@@ -88,17 +87,7 @@ export const createVersionCheckPostAuthHandler = (
 };
 
 export const createCustomHeadersPreResponseHandler = (config: HttpConfig): OnPreResponseHandler => {
-  const serverName = config.name;
-  const customHeaders = config.customResponseHeaders;
-
-  return (request, response, toolkit) => {
-    const additionalHeaders = {
-      ...customHeaders,
-      [OPENSEARCH_DASHBOARDS_NAME_HEADER]: serverName,
-    };
-
-    return toolkit.next({ headers: additionalHeaders });
-  };
+  return (request, response, toolkit) => toolkit.next({ headers: config.customResponseHeaders });
 };
 
 export const registerCoreHandlers = (