fix(edge): remove read-only and blacklisted headers from cloudfront response (#393)

lucasvieirasilva · conico974 · web-flow · commit 6a3c69a2dca6 · 2024-04-01T13:16:30.000+02:00
* fix(edge): remove read-only and blacklisted headers from cloudfront response

* chore: replace console.log to debug

* refactor: code review requests

* revert: package.json

* Create small-knives-hug.md

---------

Co-authored-by: conico974 &lt;nicodorseuil@yahoo.fr&gt;
diff --git a/.changeset/small-knives-hug.md b/.changeset/small-knives-hug.md
@@ -0,0 +1,5 @@
+---
+"open-next": patch
+---
+
+fix(edge): remove read-only and blacklisted headers from cloudfront response
diff --git a/packages/open-next/src/adapters/event-mapper.ts b/packages/open-next/src/adapters/event-mapper.ts
@@ -211,12 +211,62 @@ function convertToApiGatewayProxyResultV2(
   return response;
 }
 
+const CloudFrontBlacklistedHeaders = [
+  // Disallowed headers, see: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/edge-function-restrictions-all.html#function-restrictions-disallowed-headers
+  "connection",
+  "expect",
+  "keep-alive",
+  "proxy-authenticate",
+  "proxy-authorization",
+  "proxy-connection",
+  "trailer",
+  "upgrade",
+  "x-accel-buffering",
+  "x-accel-charset",
+  "x-accel-limit-rate",
+  "x-accel-redirect",
+  /x-amz-cf-(.*)/,
+  "x-amzn-auth",
+  "x-amzn-cf-billing",
+  "x-amzn-cf-id",
+  "x-amzn-cf-xff",
+  "x-amzn-errortype",
+  "x-amzn-fle-profile",
+  "x-amzn-header-count",
+  "x-amzn-header-order",
+  "x-amzn-lambda-integration-tag",
+  "x-amzn-requestid",
+  /x-edge-(.*)/,
+  "x-cache",
+  "x-forwarded-proto",
+  "x-real-ip",
+
+  // Read-only headers, see: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/edge-function-restrictions-all.html#function-restrictions-read-only-headers
+  "accept-encoding",
+  "content-length",
+  "if-modified-since",
+  "if-none-match",
+  "if-range",
+  "if-unmodified-since",
+  "transfer-encoding",
+  "via",
+];
+
 function convertToCloudFrontRequestResult(
   result: InternalResult,
 ): CloudFrontRequestResult {
+  debug("result headers", result.headers);
+
   const headers: CloudFrontHeaders = {};
   Object.entries(result.headers)
-    .filter(([key]) => key.toLowerCase() !== "content-length")
+    .filter(
+      ([key]) =>
+        !CloudFrontBlacklistedHeaders.some((header) =>
+          typeof header === "string"
+            ? header === key.toLowerCase()
+            : header.test(key.toLowerCase()),
+        ),
+    )
     .forEach(([key, value]) => {
       if (key === "set-cookie") {
         const cookies = parseCookies(value);
diff --git a/packages/tests-unit/tests/event-mapper.test.ts b/packages/tests-unit/tests/event-mapper.test.ts
@@ -110,5 +110,63 @@ describe("convertTo", () => {
         ],
       });
     });
+
+    describe("blacklisted headers", () => {
+      it("should remove all blacklisted or read-only headers from the response", () => {
+        const response = convertTo({
+          body: "",
+          headers: {
+            Connection: "keep-alive",
+            expect: "100-continue",
+            "keep-Alive": "timeout=5, max=100",
+            "Proxy-Authenticate": "Basic",
+            "proxy-authorization": "Basic",
+            "proxy-connection": "keep-alive",
+            trailer: "Max-Forwards",
+            Upgrade: "HTTP/2.0",
+            "X-accel-buffering": "no",
+            "X-accel-charset": "UTF-8",
+            "x-accel-limit-rate": "1000",
+            "X-accel-redirect": "http://example.com",
+            "X-amz-cf-id": "example",
+            "x-amzn-auth": "example",
+            "x-Amzn-cf-billing": "example",
+            "x-Amzn-cf-id": "example",
+            "x-Amzn-Cf-xff": "example",
+            "x-amzn-Errortype": "example",
+            "x-amzn-fle-Profile": "example",
+            "x-amzn-header-Count": "example",
+            "x-amzn-Header-order": "example",
+            "X-Amzn-Lambda-Integration-tag": "example",
+            "x-amzn-Requestid": "example",
+            "x-edge-Location": "example",
+            "X-Cache": "Hit from cloudfront",
+            "X-Forwarded-proto": "https",
+            "x-Real-ip": "example",
+            "Accept-encoding": "gzip",
+            "content-length": "100",
+            "if-modified-Since": "example",
+            "if-none-match": "example",
+            "if-range": "example",
+            "if-unmodified-since": "example",
+            "transfer-encoding": "example",
+            via: "1.1 abc123.cloudfront.net (CloudFront)",
+            "x-powered-by": "Next.js",
+          },
+          isBase64Encoded: false,
+          statusCode: 200,
+          type: "cf",
+        }) as CloudFrontRequestResult;
+
+        expect(response?.headers).toStrictEqual({
+          "x-powered-by": [
+            {
+              key: "x-powered-by",
+              value: "Next.js",
+            },
+          ],
+        });
+      });
+    });
   });
 });

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +"open-next": patch
 +---
++
 +fix(edge): remove read-only and blacklisted headers from cloudfront response