Update GrpcRemoteDownloader to only include relevant headers. (#16450)
Fixes https://github.com/bazelbuild/bazel/security/advisories/GHSA-mxr8-q875-rhwq.
RELNOTES[INC]: GrpcRemoteDownloader only includes relevant headers instead of sending all credentials.
Closes #16439.
PiperOrigin-RevId: 480069164
Change-Id: I49950311c04d1997d26832431d531a9036efdb18
Co-authored-by: kshyanashree <109167932+kshyanashree@users.noreply.github.com>
diff --git a/src/main/java/com/google/devtools/build/lib/remote/downloader/GrpcRemoteDownloader.java b/src/main/java/com/google/devtools/build/lib/remote/downloader/GrpcRemoteDownloader.java
index c3456eb..da81887 100644
--- a/src/main/java/com/google/devtools/build/lib/remote/downloader/GrpcRemoteDownloader.java
+++ b/src/main/java/com/google/devtools/build/lib/remote/downloader/GrpcRemoteDownloader.java
@@ -23,6 +23,7 @@
import build.bazel.remote.execution.v2.RequestMetadata;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Strings;
+import com.google.common.collect.ImmutableSet;
import com.google.devtools.build.lib.bazel.repository.downloader.Checksum;
import com.google.devtools.build.lib.bazel.repository.downloader.Downloader;
import com.google.devtools.build.lib.bazel.repository.downloader.HashOutputStream;
@@ -171,7 +172,7 @@
requestBuilder.addQualifiers(
Qualifier.newBuilder()
.setName(QUALIFIER_AUTH_HEADERS)
- .setValue(authHeadersJson(authHeaders))
+ .setValue(authHeadersJson(urls, authHeaders))
.build());
}
@@ -197,15 +198,24 @@
return out;
}
- private static String authHeadersJson(Map<URI, Map<String, String>> authHeaders) {
+ private static String authHeadersJson(
+ List<URL> urls, Map<URI, Map<String, String>> authHeaders) {
+ ImmutableSet<String> hostSet =
+ urls.stream().map(URL::getHost).collect(ImmutableSet.toImmutableSet());
Map<String, JsonObject> subObjects = new TreeMap<>();
for (Map.Entry<URI, Map<String, String>> entry : authHeaders.entrySet()) {
+ URI uri = entry.getKey();
+ // Only add headers that are relevant to the hosts.
+ if (!hostSet.contains(uri.getHost())) {
+ continue;
+ }
+
JsonObject subObject = new JsonObject();
Map<String, String> orderedHeaders = new TreeMap<>(entry.getValue());
for (Map.Entry<String, String> subEntry : orderedHeaders.entrySet()) {
subObject.addProperty(subEntry.getKey(), subEntry.getValue());
}
- subObjects.put(entry.getKey().toString(), subObject);
+ subObjects.put(uri.toString(), subObject);
}
JsonObject authHeadersJson = new JsonObject();
diff --git a/src/test/java/com/google/devtools/build/lib/remote/downloader/GrpcRemoteDownloaderTest.java b/src/test/java/com/google/devtools/build/lib/remote/downloader/GrpcRemoteDownloaderTest.java
index 6990764..6995ca91 100644
--- a/src/test/java/com/google/devtools/build/lib/remote/downloader/GrpcRemoteDownloaderTest.java
+++ b/src/test/java/com/google/devtools/build/lib/remote/downloader/GrpcRemoteDownloaderTest.java
@@ -320,9 +320,6 @@
+ "\"http://example.com\":{"
+ "\"Another-Header\":\"another header content\","
+ "\"Some-Header\":\"some header content\""
- + "},"
- + "\"http://example.org\":{"
- + "\"Org-Header\":\"org header content\""
+ "}"
+ "}";
