fix(websocket): prevent ws headers leaking to the subgraph ws connect…

…ion (#1149) (#1293)
wundergraph · Oct 20, 2024 · c27558f · c27558f
1 parent c14a01c
commit c27558f
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 0 deletions.
diff --git a/router-tests/websocket_test.go b/router-tests/websocket_test.go
@@ -1975,4 +1975,37 @@ func TestWebSockets(t *testing.T) {
 			}
 		})
 	})
+
+	t.Run("websocket negotiation headers should not leak down", func(t *testing.T) {
+		t.Parallel()
+		testenv.Run(t, &testenv.Config{
+			RouterOptions: []core.Option{core.WithHeaderRules(config.HeaderRules{
+				All: &config.GlobalHeaderRule{
+					Request: []*config.RequestHeaderRule{
+						{
+							Operation: config.HeaderRuleOperationPropagate,
+							Matching:  ".*",
+						},
+					},
+				},
+			})},
+		}, func(t *testing.T, xEnv *testenv.Environment) {
+			conn := xEnv.InitGraphQLWebSocketConnection(nil, nil, nil)
+			err := conn.WriteJSON(testenv.WebSocketMessage{
+				ID:      "1",
+				Type:    "subscribe",
+				Payload: []byte(`{"query":"subscription { currentTime { unixTime } }"}`),
+			})
+			require.NoError(t, err)
+
+			var res testenv.WebSocketMessage
+			err = conn.ReadJSON(&res)
+			require.NoError(t, err)
+			require.Equal(t, "next", res.Type)
+			require.Equal(t, "1", res.ID)
+
+			require.NoError(t, conn.Close())
+			xEnv.WaitForSubscriptionCount(0, time.Second*5)
+		})
+	})
 }
diff --git a/router/core/header_rule_engine.go b/router/core/header_rule_engine.go
@@ -43,6 +43,12 @@ var (
 		"Accept-Encoding",
 		"Accept-Charset",
 		"Accept",
+
+		// Web Socket negotiation headers. We must never propagate the client headers to the upstream.
+		"Sec-Websocket-Extensions",
+		"Sec-Websocket-Key",
+		"Sec-Websocket-Protocol",
+		"Sec-Websocket-Version",
 	}
 )