Should USERID header and GROUPS header be considered trustworthy or should they be properly sanitized?

[fredmaggiowski]

These two headers are used to create the query used to gather bindings.

Right now they are considered trusted headers as they are generally provided by another service and not directly by the user; however if:

• one is able to forge its own groups/userid value, or
• headers from the outside (e.g. a client invoking the exposed API) are not properly filtered

the user could be able to find more bindings than necessary and thus potentially breach the policies.

I propose to find a way to sanitize those inputs, what do you think?

Tracking issue for:

• https://github.com/rond-authz/rond/security/code-scanning/1

[davidebianchi]

Those headers are supposed to be sanitized by a gateway before rond (as currently used). If this does not happen, this could be a problem.
We should definitely add it to the docs!

We could support different types of headers to validate the input, such as JWT header. In this way, we can ensure the payload is not changed in any way instead of the current plain headers.

Side question: should we add a security label?