Skip to content

Query dst#54

Merged
mjbraun merged 2 commits into
mainfrom
query-dst
Jul 15, 2026
Merged

Query dst#54
mjbraun merged 2 commits into
mainfrom
query-dst

Conversation

@mjbraun

@mjbraun mjbraun commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

No description provided.

mjbraun added 2 commits July 14, 2026 16:47
Some APIs only accept credentials in the URL query string (e.g.
NetActuate's vapi2 rejects Authorization and X-API-Key headers). Extend
the dst config/param with a "query:<param>" form that sets the secret as
a query parameter on the request URL, preserving existing parameters.

Header and query dsts are separate namespaces: a sealed or allowlisted
header dst never authorizes a query destination of the same name, and
vice versa. Query parameter names are matched case sensitively, without
the MIME header canonicalization applied to header dsts.

Prior art: sprites-api's Connectors gateway supports the same
query_param injection method alongside header injection.
url.Values.Set only replaces an exact-case duplicate, so a request
carrying ?KEY=evil would survive alongside the injected ?key=<secret>,
a parameter-pollution vector against upstreams that match parameter
names loosely. Strip any case-insensitive match for the destination
param before setting the injected value.
@mjbraun
mjbraun requested review from timflyio and tqbf July 15, 2026 14:26

@timflyio timflyio left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good to me. my only comment is that we could have added a new field to the DstProcessor spec instead of using the "query:" prefix in the Dst field. I'm not sure how I feel about it though... it feels "cleaner" in the code, but clunkier to use in practice...

@mjbraun
mjbraun merged commit 73598b3 into main Jul 15, 2026
1 check passed
@mjbraun
mjbraun deleted the query-dst branch July 15, 2026 18:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants