From 24a9129153e21bcfd1369823a33cdd8153f50859 Mon Sep 17 00:00:00 2001
From: akakou <akakou571@gmail.com>
Date: Fri, 10 Nov 2023 01:41:38 +0900
Subject: [PATCH] feat: sanitize the headers

---
 core/director.go | 29 ++++++++++++++++++++++++++++-
 core/param.go    |  1 +
 2 files changed, 29 insertions(+), 1 deletion(-)

diff --git a/core/director.go b/core/director.go
index 793d1ce..caacbe1 100644
--- a/core/director.go
+++ b/core/director.go
@@ -17,7 +17,8 @@ import (
 func RouteDirector(host string, proxy *TorimaProxy, req *http.Request, c *gin.Context) (bool, error) {
 	req.URL.Host = host
 
-	req.Header.Set("User-Agent", "torima")
+	// just to be sure
+	req.Header.Del("X-Torima-Proxy-Token")
 	req.Header.Set("X-Torima-Proxy-Token", SECRET)
 
 	req.URL.Scheme = proxy.Config.Scheme
@@ -64,9 +65,35 @@ func ThirdPartyDirector(proxy *TorimaProxy, req *http.Request, c *gin.Context) (
 	return CONTINUE, nil
 }
 
+func SanitizeHeaderDirector(proxy *TorimaProxy, req *http.Request, c *gin.Context) (bool, error) {
+	headers := http.Header{
+		"Host":       {proxy.Config.Host},
+		"User-Agent": {"torima"},
+
+		"Content-Type":   req.Header["Content-Type"],
+		"Content-Length": req.Header["Content-Length"],
+
+		"Accept":     req.Header["Accept"],
+		"Connection": req.Header["Connection"],
+
+		"Accept-Encoding": req.Header["Accept-Encoding"],
+		"Accept-Language": req.Header["Accept-Language"],
+
+		"Cookie": req.Header["Cookie"],
+	}
+
+	req.Header = headers
+
+	return CONTINUE, nil
+
+}
+
 func AuthDirector(proxy *TorimaProxy, req *http.Request, c *gin.Context) (bool, error) {
 	user, err := gin_ninsho.LoadUser[ninsho.LINE_USER](c)
 
+	// just to be sure
+	req.Header.Del("X-Torima-UserID")
+
 	if err != nil {
 		err = makeError(err, "failed to get user from session: ")
 		return FINISHED, err
diff --git a/core/param.go b/core/param.go
index 164eef1..84ceae1 100644
--- a/core/param.go
+++ b/core/param.go
@@ -12,6 +12,7 @@ var SECRET = readEnv("TORIMA_SECRET", randomString(32))
 /* other */
 var DEFAULT_DIRECTORS = []TorimaDirector{
 	BeforeLogDirector,
+	SanitizeHeaderDirector,
 	AuthDirector,
 	DefaultRouteDirector,
 	ThirdPartyDirector,