Aleksey Shakhmatov
b5259af73e
BearerAuth, BasicAuth and DefaultHeaders mutated the caller's request, which violates the RoundTripper contract and risks races on shared/retried requests; clone before writing headers (matching RequestID). Validate the incoming X-Request-Id (length and character set) before propagating it to logs and the response header, preventing log forging and header splitting from a client-controlled value.
37 lines
1.0 KiB
Go
37 lines
1.0 KiB
Go
package middleware
|
|
|
|
import "net/http"
|
|
|
|
// DefaultHeaders returns a middleware that adds the given headers to every
|
|
// outgoing request. Existing headers on the request are not overwritten.
|
|
func DefaultHeaders(headers http.Header) Middleware {
|
|
return func(next http.RoundTripper) http.RoundTripper {
|
|
return RoundTripperFunc(func(req *http.Request) (*http.Response, error) {
|
|
// Clone lazily on the first header we actually add, so that
|
|
// RoundTrippers never mutate the caller's request.
|
|
cloned := false
|
|
for key, values := range headers {
|
|
if req.Header.Get(key) != "" {
|
|
continue
|
|
}
|
|
if !cloned {
|
|
req = req.Clone(req.Context())
|
|
cloned = true
|
|
}
|
|
for _, v := range values {
|
|
req.Header.Add(key, v)
|
|
}
|
|
}
|
|
return next.RoundTrip(req)
|
|
})
|
|
}
|
|
}
|
|
|
|
// UserAgent returns a middleware that sets the User-Agent header on every
|
|
// outgoing request, unless one is already present.
|
|
func UserAgent(ua string) Middleware {
|
|
return DefaultHeaders(http.Header{
|
|
"User-Agent": {ua},
|
|
})
|
|
}
|