Annotations: Quote auth proxy headers. (#13708)

Co-authored-by: Jan-Otto Kröpke <mail@jkroepke.de>
2025-08-04 08:05:42 -07:00 · 2025-08-04 08:05:42 -07:00 · 5595829164
parent 25999474c2
commit 5595829164
3 changed files with 21 additions and 7 deletions
--- a/internal/ingress/controller/template/template.go
+++ b/internal/ingress/controller/template/template.go
@ -619,8 +619,9 @@ func buildAuthProxySetHeaders(headers map[string]string) []string {
 	}

 	for name, value := range headers {
-		res = append(res, fmt.Sprintf("proxy_set_header '%v' '%v';", name, value))
+		res = append(res, fmt.Sprintf("proxy_set_header %q %q;", name, value))
 	}
+
 	sort.Strings(res)
 	return res
 }
--- a/internal/ingress/controller/template/template_test.go
+++ b/internal/ingress/controller/template/template_test.go
@ -548,12 +548,25 @@ func TestBuildAuthResponseLua(t *testing.T) {

 func TestBuildAuthProxySetHeaders(t *testing.T) {
 	proxySetHeaders := map[string]string{
-		"header1": "value1",
-		"header2": "value2",
+		"Content-Security-Policy": "default-src 'self'; img-src 'self' example.com",
+		"Content-Type":            "application/json; charset=\"utf-8\"",
+		"header1":                 "value1",
+		"header2":                 "value2",
+		"Link":                    "<https://example.com>; rel=\"preload\"; as=\"script\"; crossorigin=\"anonymous\"",
+		"User-Agent":              "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36",
+		"new\rline":               "value1",
+		"newline2":                "valu\ne2",
 	}
+
 	expected := []string{
-		"proxy_set_header 'header1' 'value1';",
-		"proxy_set_header 'header2' 'value2';",
+		`proxy_set_header "Content-Security-Policy" "default-src 'self'; img-src 'self' example.com";`,
+		`proxy_set_header "Content-Type" "application/json; charset=\"utf-8\"";`,
+		`proxy_set_header "Link" "<https://example.com>; rel=\"preload\"; as=\"script\"; crossorigin=\"anonymous\"";`,
+		`proxy_set_header "User-Agent" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36";`,
+		`proxy_set_header "header1" "value1";`,
+		`proxy_set_header "header2" "value2";`,
+		`proxy_set_header "new\rline" "value1";`,
+		`proxy_set_header "newline2" "valu\ne2";`,
 	}

 	headers := buildAuthProxySetHeaders(proxySetHeaders)
--- a/test/e2e/annotations/auth.go
+++ b/test/e2e/annotations/auth.go
@ -308,7 +308,7 @@ var _ = framework.DescribeAnnotation("auth-*", func() {
 			})
 	})

-	ginkgo.It(`should set "proxy_set_header 'My-Custom-Header' '42';" when auth-headers are set`, func() {
+	ginkgo.It(`should set "proxy_set_header "My-Custom-Header" "42";" when auth-headers are set`, func() {
 		host := authHost

 		annotations := map[string]string{
@ -325,7 +325,7 @@ var _ = framework.DescribeAnnotation("auth-*", func() {

 		f.WaitForNginxServer(host,
 			func(server string) bool {
-				return strings.Contains(server, `proxy_set_header 'My-Custom-Header' '42';`)
+				return strings.Contains(server, `proxy_set_header "My-Custom-Header" "42";`)
 			})
 	})