From f28c54ada33cd7612bb63061c70f06d4a9d23cca Mon Sep 17 00:00:00 2001
From: Evgeni Golov <evgeni@golov.de>
Date: Thu, 15 Aug 2024 11:39:48 +0200
Subject: [PATCH] Unset all possible dash/underscore combinations of
 REMOTE_USER

While the backend will always see underscores, as dashes are not
permitted in environment variables that are used to pass these along,
the frontend should always filter all possible notations, as otherwise
an attacker could set the "REMOTE-USER" header which gets passed as
"REMOTE_USER" unfiltered.

Do the same for REMOTE_USER_* to avoid sneaking in groups that the
user does not belong to and other user preferences.
This however is only a theoretical attack vector once you can't
spoof the REMOTE_USER variable anymore.

(cherry picked from commit 80f12290f87d523b9cd01f0164009936fc609865)
---
 manifests/config/apache.pp                 | 13 +++++++++++
 spec/classes/foreman_config_apache_spec.rb | 26 ++++++++++++++++++++++
 2 files changed, 39 insertions(+)

diff --git a/manifests/config/apache.pp b/manifests/config/apache.pp
index 59ce4ea6e..9aa561ed7 100644
--- a/manifests/config/apache.pp
+++ b/manifests/config/apache.pp
@@ -119,10 +119,23 @@
   String[1] $keycloak_app_name = 'foreman-openidc',
   String[1] $keycloak_realm = 'ssl-realm',
   Array[String[1]] $request_headers_to_unset = [
+    'REMOTE-USER',
     'REMOTE_USER',
+    'REMOTE-USER-EMAIL',
+    'REMOTE-USER_EMAIL',
+    'REMOTE_USER-EMAIL',
     'REMOTE_USER_EMAIL',
+    'REMOTE-USER-FIRSTNAME',
+    'REMOTE-USER_FIRSTNAME',
+    'REMOTE_USER-FIRSTNAME',
     'REMOTE_USER_FIRSTNAME',
+    'REMOTE-USER-LASTNAME',
+    'REMOTE-USER_LASTNAME',
+    'REMOTE_USER-LASTNAME',
     'REMOTE_USER_LASTNAME',
+    'REMOTE-USER-GROUPS',
+    'REMOTE-USER_GROUPS',
+    'REMOTE_USER-GROUPS',
     'REMOTE_USER_GROUPS',
   ],
 ) {
diff --git a/spec/classes/foreman_config_apache_spec.rb b/spec/classes/foreman_config_apache_spec.rb
index 5b8f73f16..d85b771a4 100644
--- a/spec/classes/foreman_config_apache_spec.rb
+++ b/spec/classes/foreman_config_apache_spec.rb
@@ -56,10 +56,23 @@
             'set SSL_CLIENT_S_DN ""',
             'set SSL_CLIENT_CERT ""',
             'set SSL_CLIENT_VERIFY ""',
+            'unset REMOTE-USER',
             'unset REMOTE_USER',
+            'unset REMOTE-USER-EMAIL',
+            'unset REMOTE-USER_EMAIL',
+            'unset REMOTE_USER-EMAIL',
             'unset REMOTE_USER_EMAIL',
+            'unset REMOTE-USER-FIRSTNAME',
+            'unset REMOTE-USER_FIRSTNAME',
+            'unset REMOTE_USER-FIRSTNAME',
             'unset REMOTE_USER_FIRSTNAME',
+            'unset REMOTE-USER-LASTNAME',
+            'unset REMOTE-USER_LASTNAME',
+            'unset REMOTE_USER-LASTNAME',
             'unset REMOTE_USER_LASTNAME',
+            'unset REMOTE-USER-GROUPS',
+            'unset REMOTE-USER_GROUPS',
+            'unset REMOTE_USER-GROUPS',
             'unset REMOTE_USER_GROUPS'
           ])
           .with_proxy_pass(
@@ -192,10 +205,23 @@ class { 'apache':
               'set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"',
               'set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"',
               'set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"',
+              'unset REMOTE-USER',
               'unset REMOTE_USER',
+              'unset REMOTE-USER-EMAIL',
+              'unset REMOTE-USER_EMAIL',
+              'unset REMOTE_USER-EMAIL',
               'unset REMOTE_USER_EMAIL',
+              'unset REMOTE-USER-FIRSTNAME',
+              'unset REMOTE-USER_FIRSTNAME',
+              'unset REMOTE_USER-FIRSTNAME',
               'unset REMOTE_USER_FIRSTNAME',
+              'unset REMOTE-USER-LASTNAME',
+              'unset REMOTE-USER_LASTNAME',
+              'unset REMOTE_USER-LASTNAME',
               'unset REMOTE_USER_LASTNAME',
+              'unset REMOTE-USER-GROUPS',
+              'unset REMOTE-USER_GROUPS',
+              'unset REMOTE_USER-GROUPS',
               'unset REMOTE_USER_GROUPS'
             ])
             .with_ssl_proxyengine(true)