fix: concurrent map update for webhook header (#4055)

ory · Aug 26, 2024 · 6ceb2f1 · 6ceb2f1
1 parent 2a6e220
commit 6ceb2f1
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 17 deletions.
diff --git a/internal/client-go/go.sum b/internal/client-go/go.sum
@@ -4,6 +4,7 @@ github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5y
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e h1:bRhVy7zSSasaqNksaRZiA5EEI+Ei4I1nO5Jh72wfHlg=
 golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4 h1:YUO/7uOKsKeq9UokNS62b8FYywz3ker1l1vDZRCRefw=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=

diff --git a/selfservice/hook/web_hook.go b/selfservice/hook/web_hook.go
@@ -21,6 +21,7 @@ import (
 	"go.opentelemetry.io/otel/codes"
 	semconv "go.opentelemetry.io/otel/semconv/v1.11.0"
 	"go.opentelemetry.io/otel/trace"
+	"golang.org/x/exp/maps"
 	grpccodes "google.golang.org/grpc/codes"
 
 	"github.com/ory/herodot"
@@ -448,11 +449,12 @@ var RequestHeaderAllowList = map[string]struct{}{
 }
 
 func removeDisallowedHeaders(data *templateContext) {
-	for key := range data.RequestHeaders {
-		if _, ok := RequestHeaderAllowList[textproto.CanonicalMIMEHeaderKey(key)]; !ok {
-			data.RequestHeaders.Del(key)
-		}
-	}
+	headers := maps.Clone(data.RequestHeaders)
+	maps.DeleteFunc(headers, func(key string, _ []string) bool {
+		_, found := RequestHeaderAllowList[textproto.CanonicalMIMEHeaderKey(key)]
+		return !found
+	})
+	data.RequestHeaders = headers
 }
 
 func parseWebhookResponse(resp *http.Response, id *identity.Identity) (err error) {

diff --git a/selfservice/hook/web_hook_integration_test.go b/selfservice/hook/web_hook_integration_test.go
@@ -129,10 +129,8 @@ func TestWebHooks(t *testing.T) {
 					}
 				}`, f.GetID(), req.Method, "http://www.ory.sh/some_end_point")
 		if len(req.Header) != 0 {
-			var err error
-			body, err = sjson.Set(body, "headers", req.Header)
-			if err != nil {
-				panic(err)
+			if ua := req.Header.Get("User-Agent"); ua != "" {
+				body, _ = sjson.Set(body, "headers.User-Agent", []string{ua})
 			}
 		}
 
@@ -153,10 +151,8 @@ func TestWebHooks(t *testing.T) {
 					"transient_payload": %s
 				}`, f.GetID(), s.Identity.ID, req.Method, "http://www.ory.sh/some_end_point", string(tp))
 		if len(req.Header) != 0 {
-			var err error
-			body, err = sjson.Set(body, "headers", req.Header)
-			if err != nil {
-				panic(err)
+			if ua := req.Header.Get("User-Agent"); ua != "" {
+				body, _ = sjson.Set(body, "headers.User-Agent", []string{ua})
 			}
 		}
 
@@ -178,10 +174,8 @@ func TestWebHooks(t *testing.T) {
 					"transient_payload": %s
 				}`, f.GetID(), s.Identity.ID, s.ID, req.Method, "http://www.ory.sh/some_end_point", string(tp))
 		if len(req.Header) != 0 {
-			var err error
-			body, err = sjson.Set(body, "headers", req.Header)
-			if err != nil {
-				panic(err)
+			if ua := req.Header.Get("User-Agent"); ua != "" {
+				body, _ = sjson.Set(body, "headers.User-Agent", []string{ua})
 			}
 		}