Bug Description
The OrganisationsController (src/organizations/organizations.controller.ts), JobsController (src/jobs/jobs.controller.ts), and FeedbackController (src/feedback/feedback.controller.ts) pass raw req.headers directly to ProxyService.forward().
The ProxyService.forward() method (src/proxy/proxy.service.ts, lines 24-28) attempts to filter dangerous headers (host, content-length, connection, accept-encoding), but this filtering is applied AFTER the spread - so the forwardedHeaders copy already contains all original headers before deletion.
Impact
- Clients can forge X-Hub-Secret if they guess the header name
- Authorization headers leak between services
- Query params spread
as any bypass TypeScript safety
Fix
Apply header whitelist before calling proxy.forward() in every controller.
Bug Description
The OrganisationsController (src/organizations/organizations.controller.ts), JobsController (src/jobs/jobs.controller.ts), and FeedbackController (src/feedback/feedback.controller.ts) pass raw
req.headersdirectly to ProxyService.forward().The ProxyService.forward() method (src/proxy/proxy.service.ts, lines 24-28) attempts to filter dangerous headers (host, content-length, connection, accept-encoding), but this filtering is applied AFTER the spread - so the forwardedHeaders copy already contains all original headers before deletion.
Impact
as anybypass TypeScript safetyFix
Apply header whitelist before calling proxy.forward() in every controller.