Describe the bug When request wrapped by StrictServerWebExchangeFirewall / StrictFirewallHttpRequest is mutated, header sanitization provided by StrictFirewallHttpHeaders is removed
This is due to fact that - HttpHeaders#writabeHttpHeaders implementation is weird, instead of retrieval and copying of header values, it unwraps inner-most multivalue map and uses it in new (mutable) HttpHeaders instance - mutated request uses these new HttpHeaders and does not invoke http headers from delegate
Expected behavior Mutated request should be protected by StrictFirewallHttpHeaders sanitization.
Comment From: MichalStehlikCz
This test illustrates described behaviour
@Test
void getMutatedFirewalledExchangeGetHeaderWhenNotAllowedHeaderNameThenException() {
this.firewall.setAllowedHeaderNames((name) -> !name.equals("bad name"));
ServerWebExchange exchange = getFirewalledExchange();
ServerWebExchange mutatedExchange = exchange.mutate()
.request(exchange.getRequest().mutate().build())
.build();
HttpHeaders headers = mutatedExchange.getRequest().getHeaders();
assertThatExceptionOfType(ServerExchangeRejectedException.class).isThrownBy(() -> headers.get("bad name"));
}