fix: prevent Host header bypass vulnerability (#58)

ammario · web-flow · commit 664cd1a715b5 · 2025-09-21T12:09:36.000-05:00
This commit fixes a security vulnerability where an attacker could bypass proxy restrictions by sending requests with mismatched Host headers. The vulnerability allowed sending a request to one domain (e.g., api.anthropic.com) while setting the Host header to another domain (e.g., evil.com), which could cause CDNs like CloudFlare to route the request to the attacker's server. Thank you to @amyb-asu for reporting this in #57
diff --git a/src/proxy.rs b/src/proxy.rs
@@ -72,14 +72,37 @@ pub fn prepare_upstream_request(
     let (mut parts, incoming_body) = req.into_parts();
 
     // Update the URI
-    parts.uri = target_uri;
+    parts.uri = target_uri.clone();
 
     // Remove proxy-specific headers only
     // Don't remove connection-related headers as the client will handle them
     parts.headers.remove("proxy-connection");
     parts.headers.remove("proxy-authorization");
     parts.headers.remove("proxy-authenticate");
 
+    // SECURITY: Ensure the Host header matches the URI to prevent routing bypasses (Issue #57)
+    // This prevents attacks where an attacker sends a request to one domain but sets
+    // the Host header to another domain, potentially bypassing security controls in
+    // CDNs like CloudFlare that route based on the Host header.
+    if let Some(authority) = target_uri.authority() {
+        debug!(
+            "Setting Host header to match URI authority: {}",
+            authority.as_str()
+        );
+        parts.headers.insert(
+            hyper::header::HOST,
+            hyper::header::HeaderValue::from_str(authority.as_str())
+                .unwrap_or_else(|_| hyper::header::HeaderValue::from_static("unknown")),
+        );
+    }
+
+    // TODO: Future improvement - Use the type system to ensure security guarantees
+    // We should eventually refactor this to use types that guarantee all request
+    // information passed to upstream has been validated by the RuleEngine.
+    // For example, we could have a `ValidatedRequest` type that can only be
+    // constructed after passing through rule evaluation, making it impossible
+    // to accidentally forward unvalidated or modified headers to the upstream.
+
     // Convert incoming body to boxed body
     let boxed_request_body = incoming_body.boxed();
 
diff --git a/tests/weak_integration.rs b/tests/weak_integration.rs
@@ -287,3 +287,57 @@ fn test_server_mode() {
     let _ = server.kill();
     let _ = server.wait();
 }
+
+/// Test for Host header security (Issue #57)
+/// Verifies that httpjail corrects mismatched Host headers to prevent
+/// CloudFlare and other CDN routing bypasses.
+#[test]
+fn test_host_header_security() {
+    use std::process::Command;
+
+    // Define the same curl command that attempts to set a mismatched Host header
+    let curl_args = vec![
+        "-s",
+        "-H",
+        "Host: evil.com",
+        "--max-time",
+        "3",
+        "http://httpbin.org/headers",
+    ];
+
+    // Test 1: Direct curl execution (without httpjail) - shows the vulnerability
+    let direct_result = Command::new("curl")
+        .args(&curl_args)
+        .output()
+        .expect("Failed to execute curl directly");
+
+    let direct_stdout = String::from_utf8_lossy(&direct_result.stdout);
+    assert!(
+        direct_stdout.contains("\"Host\": \"evil.com\""),
+        "Direct curl should pass through the evil.com Host header unchanged"
+    );
+
+    // Test 2: Same curl command through httpjail - shows the fix
+    let httpjail_result = HttpjailCommand::new()
+        .weak()
+        .js("true") // Allow all requests
+        .command(vec!["curl"].into_iter().chain(curl_args).collect())
+        .execute();
+
+    assert!(httpjail_result.is_ok(), "Httpjail request should complete");
+    let (exit_code, stdout, _) = httpjail_result.unwrap();
+    assert_eq!(exit_code, 0, "Httpjail request should succeed");
+
+    // Httpjail should have corrected the Host header to match the URI
+    assert!(
+        stdout.contains("\"Host\": \"httpbin.org\""),
+        "Httpjail should correct the Host header to httpbin.org"
+    );
+    assert!(
+        !stdout.contains("\"Host\": \"evil.com\""),
+        "Httpjail should not pass through the evil.com Host header"
+    );
+
+    // This demonstrates that httpjail prevents the Host header bypass attack
+    // that would otherwise be possible with direct curl execution
+}
