X-.. Headers aren't sanitized - Google App Engine

Meet industry peers, ask questions, collaborate to find answers, and connect with Googlers who are making the products you use every day.<\/p>", "imageupload.max_uploaded_images_per_upload" : 100, "imageupload.max_uploaded_images_per_user" : 10000, "integratedprofile.connect_mode" : "", "tkb.toc_maximum_heading_level" : "2", "tkb.toc_heading_list_style" : "disc", "sharedprofile.show_hovercard_score" : true, "config.search_before_post_scope" : "community", "tkb.toc_heading_indent" : "15", "p13n.cta.recommendations_feed_dismissal_timestamp" : -1, "imageupload.max_file_size" : 10024, "layout.show_batch_checkboxes" : false, "integratedprofile.cta_connect_slim_dismissal_timestamp" : -1 }, "isAnonymous" : true, "policies" : { "image-upload.process-and-remove-exif-metadata" : true }, "registered" : false, "emailRef" : "", "id" : -1, "login" : "Former Community Member" }, "Server" : { "communityPrefix" : "/qsqph94282", "nodeChangeTimeStamp" : 1740653277400, "tapestryPrefix" : "/gc", "deviceMode" : "DESKTOP", "responsiveDeviceMode" : "DESKTOP", "membershipChangeTimeStamp" : "0", "version" : "24.12", "branch" : "24.12-release", "showTextKeys" : false }, "Config" : { "phase" : "prod", "integratedprofile.cta.reprompt.delay" : 30, "profileplus.tracking" : { "profileplus.tracking.enable" : false, "profileplus.tracking.click.enable" : false, "profileplus.tracking.impression.enable" : false }, "app.revision" : "2502201706-s7223b55626-b92", "navigation.manager.community.structure.limit" : "1000" }, "Activity" : { "Results" : [ ] }, "NodeContainer" : { "viewHref" : "https://www.googlecloudcommunity.com/gc/Cloud-Forums/ct-p/cloud-forums", "description" : "Get answers to your questions and share your knowledge about the Google Cloud.", "id" : "cloud-forums", "shortTitle" : "Cloud Forums", "title" : "Cloud Forums", "nodeType" : "category" }, "Page" : { "skins" : [ "googlecloud", "theme_hermes", "responsive_peak" ], "authUrls" : { "loginUrl" : "https://www.googlecloudcommunity.com/gc/user/userloginpage?dest_url=https%3A%2F%2Fwww.googlecloudcommunity.com%2Fgc%2FServerless%2FX-Headers-aren-t-sanitized-Google-App-Engine%2Fm-p%2F827404%2Fthread-id%2F4707", "loginUrlNotRegistered" : "https://www.googlecloudcommunity.com/gc/user/userloginpage?redirectreason=notregistered&dest_url=https%3A%2F%2Fwww.googlecloudcommunity.com%2Fgc%2FServerless%2FX-Headers-aren-t-sanitized-Google-App-Engine%2Fm-p%2F827404%2Fthread-id%2F4707", "loginUrlNotRegisteredDestTpl" : "https://www.googlecloudcommunity.com/gc/user/userloginpage?redirectreason=notregistered&dest_url=%7B%7BdestUrl%7D%7D" }, "name" : "ForumTopicPage", "rtl" : false, "object" : { "viewHref" : "/gc/Serverless/X-Headers-aren-t-sanitized-Google-App-Engine/td-p/827404", "subject" : "X-.. Headers aren't sanitized - Google App Engine", "id" : 827404, "page" : "ForumTopicPage", "type" : "Thread" } }, "WebTracking" : { "Activities" : { }, "path" : "Community:Google Cloud Community/Category:Google Cloud/Category:Cloud Forums/Board:Serverless/Message:X-.. Headers aren't sanitized - Google App Engine" }, "Feedback" : { "targeted" : { } }, "Seo" : { "markerEscaping" : { "pathElement" : { "prefix" : "@", "match" : "^[0-9][0-9]$" }, "enabled" : false } }, "TopLevelNode" : { "viewHref" : "https://www.googlecloudcommunity.com/gc/Google-Cloud/ct-p/google-cloud", "description" : "Find answers, ask questions, and connect with our community of experts.", "id" : "google-cloud", "shortTitle" : "Google Cloud", "title" : "Google Cloud", "nodeType" : "category" }, "Community" : { "viewHref" : "https://www.googlecloudcommunity.com/", "integratedprofile.lang_code" : "en", "integratedprofile.country_code" : "US", "id" : "qsqph94282", "shortTitle" : "Google Cloud Community", "title" : "Google Cloud Community" }, "CoreNode" : { "conversationStyle" : "forum", "viewHref" : "https://www.googlecloudcommunity.com/gc/Serverless/bd-p/cloud_serverless", "settings" : { }, "description" : "Explore topics and ask questions about Cloud Run, Cloud Functions, App Engine, Workflows, and Eventarc.", "id" : "cloud_serverless", "shortTitle" : "Serverless", "title" : "Serverless", "nodeType" : "Board", "ancestors" : [ { "viewHref" : "https://www.googlecloudcommunity.com/gc/Cloud-Forums/ct-p/cloud-forums", "description" : "Get answers to your questions and share your knowledge about the Google Cloud.", "id" : "cloud-forums", "shortTitle" : "Cloud Forums", "title" : "Cloud Forums", "nodeType" : "category" }, { "viewHref" : "https://www.googlecloudcommunity.com/gc/Google-Cloud/ct-p/google-cloud", "description" : "Find answers, ask questions, and connect with our community of experts.", "id" : "google-cloud", "shortTitle" : "Google Cloud", "title" : "Google Cloud", "nodeType" : "category" }, { "viewHref" : "https://www.googlecloudcommunity.com/", "description" : "The official home of Google Cloud and Workspace community forums, learning hub, and community blogs.", "id" : "qsqph94282", "shortTitle" : "Google Cloud Community", "title" : "Google Cloud Community", "nodeType" : "Community" } ] } }; LITHIUM.Components.RENDER_URL = "/gc/util/componentrenderpage/component-id/#{component-id}?render_behavior=raw"; LITHIUM.Components.ORIGINAL_PAGE_NAME = 'forums/v5/ForumTopicPage'; LITHIUM.Components.ORIGINAL_PAGE_ID = 'ForumTopicPage'; LITHIUM.Components.ORIGINAL_PAGE_CONTEXT = 'Nx13XGf4o4IRVkKI5Pc1JpIsWeAtThQuAGxqDASr8ZE0TBF4oXY47uvwGZh7ZF0fHp9ODKN6D3Vo8KTZkVJbvJ7T4hoo3xYWPtBzBgSREFQznAK19WYxDIgQ4ID1XnZTmEAfZ2eMn-6Pi5I_R8VtDCxj-_c3RmwRmDLLTX0GdpKj-Pk32YKFBh2-13Yhx4owMpghSvbHiear-2L1FqB_j-O1h4Cd4ckf4UrdrOWo44WzWbOXg3hMBQBPftfl-u2j3LBZeZ9-QRSR64CLP85uPswk_IpDDsBVNEl02k60X0Q9Qj-i7g8Q3aVcXJ-CN7R-dvhBKJgGWeRd36Se9nMhdU-h7O0_VZvbWV3W6Nm0BXGt_4McnFYb83lshNpR5x5YcIK6Lv4SQZwIOmPaENBFhQ..'; LITHIUM.Css = { "BASE_DEFERRED_IMAGE" : "lia-deferred-image", "BASE_BUTTON" : "lia-button", "BASE_SPOILER_CONTAINER" : "lia-spoiler-container", "BASE_TABS_INACTIVE" : "lia-tabs-inactive", "BASE_TABS_ACTIVE" : "lia-tabs-active", "BASE_AJAX_REMOVE_HIGHLIGHT" : "lia-ajax-remove-highlight", "BASE_FEEDBACK_SCROLL_TO" : "lia-feedback-scroll-to", "BASE_FORM_FIELD_VALIDATING" : "lia-form-field-validating", "BASE_FORM_ERROR_TEXT" : "lia-form-error-text", "BASE_FEEDBACK_INLINE_ALERT" : "lia-panel-feedback-inline-alert", "BASE_BUTTON_OVERLAY" : "lia-button-overlay", "BASE_TABS_STANDARD" : "lia-tabs-standard", "BASE_AJAX_INDETERMINATE_LOADER_BAR" : "lia-ajax-indeterminate-loader-bar", "BASE_AJAX_SUCCESS_HIGHLIGHT" : "lia-ajax-success-highlight", "BASE_CONTENT" : "lia-content", "BASE_JS_HIDDEN" : "lia-js-hidden", "BASE_AJAX_LOADER_CONTENT_OVERLAY" : "lia-ajax-loader-content-overlay", "BASE_FORM_FIELD_SUCCESS" : "lia-form-field-success", "BASE_FORM_WARNING_TEXT" : "lia-form-warning-text", "BASE_FORM_FIELDSET_CONTENT_WRAPPER" : "lia-form-fieldset-content-wrapper", "BASE_AJAX_LOADER_OVERLAY_TYPE" : "lia-ajax-overlay-loader", "BASE_FORM_FIELD_ERROR" : "lia-form-field-error", "BASE_SPOILER_CONTENT" : "lia-spoiler-content", "BASE_FORM_SUBMITTING" : "lia-form-submitting", "BASE_EFFECT_HIGHLIGHT_START" : "lia-effect-highlight-start", "BASE_FORM_FIELD_ERROR_NO_FOCUS" : "lia-form-field-error-no-focus", "BASE_EFFECT_HIGHLIGHT_END" : "lia-effect-highlight-end", "BASE_SPOILER_LINK" : "lia-spoiler-link", "FACEBOOK_LOGOUT" : "lia-component-users-action-logout", "BASE_DISABLED" : "lia-link-disabled", "FACEBOOK_SWITCH_USER" : "lia-component-admin-action-switch-user", "BASE_FORM_FIELD_WARNING" : "lia-form-field-warning", "BASE_AJAX_LOADER_FEEDBACK" : "lia-ajax-loader-feedback", "BASE_AJAX_LOADER_OVERLAY" : "lia-ajax-loader-overlay", "BASE_LAZY_LOAD" : "lia-lazy-load" }; LITHIUM.noConflict = true; LITHIUM.useCheckOnline = false; LITHIUM.RenderedScripts = [ "plugin.js", "Lithium.js", "jquery.autocomplete.js", "Cache.js", "jquery.ui.dialog.js", "jquery.viewport-1.0.js", "jquery.ui.mouse.js", "plugin.js", "SearchAutoCompleteToggle.js", "plugin.js", "en.js", "Namespace.js", "jquery.ui.core.js", "MessageEditor.js", "Components.js", "en.js", "PolyfillsAll.js", "plugin.js", "ProductsField.js", "jquery.position-toggle-1.0.js", "jquery.ui.widget.js", "jquery.effects.slide.js", "DropDownMenu.js", "jquery.iframe-transport.js", "LiModernizr.js", "jquery.iframe-shim-1.0.js", "jquery.fileupload.js", "prism.js", "en.js", "ElementQueries.js", "plugin.js", "ElementMethods.js", "ResizeSensor.js", "CookieBannerAlert.js", "aws-sdk.js", "jquery.tools.tooltip-1.2.6.js", "plugin.js", "SearchForm.js", "Sandbox.js", "jquery.css-data-1.0.js", "Link.js", "jquery.function-utils-1.0.js", "jquery.blockui.js", "plugin.js", "jquery.js", "SpoilerToggle.js", "en.js", "jquery.tokeninput-1.6.2.js", "plugin.js", "jquery.delayToggle-1.0.js", "ThreadedDetailMessageList.js", "plugin.js", "jquery.placeholder-2.0.7.js", "TokenInputAutoComplete.js", "api.js", "DropDownMenuVisibilityHandler.js", "Throttle.js", "TinyMceEditor.js", "json2.js", "plugin.js", "plugin.js", "InlineMessageReplyContainer.js", "FieldSet.js", "plugin.js", "theme.js", "plugin.js", "en.js", "EarlyEventCapture.js", "en.js", "NoConflict.js", "MessageBodyDisplay.js", "PartialRenderProxy.js", "jquery.ui.draggable.js", "plugin.js", "plugin.js", "en.js", "Video.js", "Placeholder.js", "BlockEvents.js", "KeepSessionAlive.js", "jquery.effects.core.js", "plugin.js", "jquery.json-2.6.0.js", "en.js", "Events.js", "Globals.js", "jquery.appear-1.1.1.js", "InlineMessageReplyEditor.js", "Loader.js", "plugin.js", "OoyalaPlayer.js", "plugin.js", "InputEditForm.js", "Auth.js", "CustomEvent.js", "plugin.js", "Text.js", "en.js", "en.js", "AutoComplete.js", "Tooltip.js", "HelpIcon.js", "brightcove_uploader.js", "LazyLoadComponent.js", "jquery.lithium-selector-extensions.js", "AjaxSupport.js", "DataHandler.js", "ForceLithiumJQuery.js", "AjaxFeedback.js", "plugin.js", "ReCaptchaV3.js", "InformationBox.js", "plugin.js", "jquery.ui.resizable.js", "jquery.clone-position-1.0.js", "jquery.lithium-toastmessage.js", "UserListActual.js", "jquery.ui.position.js", "tinymce-patched.js", "plugin.js", "jquery.tmpl-1.1.1.js", "jquery.ajax-cache-response-1.0.js", "DeferredImages.js", "Dialog.js", "InlineMessageEditor.js", "plugin.js", "Forms.js", "ActiveCast3.js", "jquery.scrollTo.js", "jquery.hoverIntent-r6.js" ];(function(){LITHIUM.AngularSupport=function(){function g(a,c){a=a||{};for(var b in c)"[object object]"===Object.prototype.toString.call(c[b])?a[b]=g(a[b],c[b]):a[b]=c[b];return a}var d,f,b={coreModule:"li.community",coreModuleDeps:[],noConflict:!0,bootstrapElementSelector:".lia-page .min-width .lia-content",bootstrapApp:!0,debugEnabled:!1,useCsp:!0,useNg2:!1},k=function(){var a;return function(b){a||(a=document.createElement("a"));a.href=b;return a.href}}();LITHIUM.Angular={};return{preventGlobals:LITHIUM.Globals.preventGlobals, restoreGlobals:LITHIUM.Globals.restoreGlobals,init:function(){var a=[],c=document.querySelector(b.bootstrapElementSelector);a.push(b.coreModule);b.customerModules&&0

We are hosting a Google App Engine with a Python Flask project to run our platform. This is secured using IAP, so employees register their work e-mail as a Google account and are appointed the IAP Secured Web App user role to access our platform.

Within the project, once a user is allowed access by being added to the IAP, we differentiate users based on the provided documentation on JWT tokens.

However we also have automated tasks running within the developed platform. To differentiate between a user accessing a route and a cron job acccessing a route we make use of the X-Appengine-Cron header, per the documentation on validating cron requests.

It has now come to our attention that this header is spoofable. E.g. a malicious user (that is part of the IAP) is able to pass the X-Appengine-Cron header (we also tested the X-Forwarded-For and X-Appengine-Queuename headers) and that value will be used. It is not sanitized as is suggested by the documentation of the App Engine.

Although this is not a serious concern considering this is all only possible when part of the IAP (this is not something we hand out lightly), I am wondering if part of our implementation is incorrect or why the documentation suggests something other than what we are seeing.

0 0 225

0 REPLIES 0

never-displayed