[PR #175] [MERGED] fix: preserve x-middleware-request-* headers in generated runMiddleware #372

New issue

Closed

opened 2026-05-06 12:39:28 +02:00 by BreizhHardware · 0 comments

BreizhHardware commented

2026-05-06 12:39:28 +02:00

Owner

📋 Pull Request Information

Original PR: https://github.com/cloudflare/vinext/pull/175
Author: @dknecht
Created: 2/27/2026
Status: ✅ Merged
Merged: 2/27/2026
Merged by: @threepointone

Base: main ← Head: codex/propose-fix-for-header-spoofing-vulnerability

📝 Commits (3)

d49639f fix: preserve middleware request override headers in runMiddleware
e68a217 Strip x-middleware-* headers, detect bun, update fixtures
7b7dabc Normalize absolute file paths in fixture

📊 Changes

7 files changed (+140 additions, -30 deletions)

View changed files

📝 packages/vinext/src/deploy.ts (+2 -0)
📝 packages/vinext/src/index.ts (+10 -4)
📝 packages/vinext/src/utils/project.ts (+2 -0)
📝 tests/deploy.test.ts (+9 -0)
📝 tests/fixtures/pages-basic/dist/server/entry.js (+93 -26)
📝 tests/fixtures/pages-basic/middleware.ts (+8 -0)
📝 tests/pages-router.test.ts (+16 -0)

📄 Description

Motivation

A codegen change began stripping every x-middleware-* header from middleware responses, which removed x-middleware-request-* headers that NextResponse.next() uses to forward middleware-modified request headers to the production server, enabling header spoofing regressions.

Description

Updated the generated runMiddleware code in packages/vinext/src/index.ts to preserve x-middleware-request-* headers while continuing to strip other x-middleware-* internal routing headers in both NextResponse.next() and rewrite handling.
Added a regression assertion in tests/deploy.test.ts to verify the generated Pages Router worker entry still contains the x-middleware-request-* unpacking logic (const mwReqPrefix = "x-middleware-request-" and key.startsWith(mwReqPrefix)).
Changes are minimal and aimed only at ensuring middleware request-overrides are available to the prod request override logic before internal headers are removed from client responses.

Testing

Ran pnpm test tests/deploy.test.ts, which passed (155 tests, 0 failures).
During investigation I exercised pnpm test against the Pages Router middleware path to reproduce the regression; that targeted test helped validate behavior while iterating on the fix (used for debugging), and the final regression coverage is enforced by tests/deploy.test.ts as noted above.

Codex Task

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/cloudflare/vinext/pull/175 **Author:** [@dknecht](https://github.com/dknecht) **Created:** 2/27/2026 **Status:** ✅ Merged **Merged:** 2/27/2026 **Merged by:** [@threepointone](https://github.com/threepointone) **Base:** `main` ← **Head:** `codex/propose-fix-for-header-spoofing-vulnerability` --- ### 📝 Commits (3) - [`d49639f`](https://github.com/cloudflare/vinext/commit/d49639fb341119ff3f799c3d3a7953a0d3d420d5) fix: preserve middleware request override headers in runMiddleware - [`e68a217`](https://github.com/cloudflare/vinext/commit/e68a217a85b336f3c26cc716de935a3dca078176) Strip x-middleware-* headers, detect bun, update fixtures - [`7b7dabc`](https://github.com/cloudflare/vinext/commit/7b7dabc603a4b997b965070370b9e2fd743d92e1) Normalize absolute file paths in fixture ### 📊 Changes **7 files changed** (+140 additions, -30 deletions) <details> <summary>View changed files</summary> 📝 `packages/vinext/src/deploy.ts` (+2 -0) 📝 `packages/vinext/src/index.ts` (+10 -4) 📝 `packages/vinext/src/utils/project.ts` (+2 -0) 📝 `tests/deploy.test.ts` (+9 -0) 📝 `tests/fixtures/pages-basic/dist/server/entry.js` (+93 -26) 📝 `tests/fixtures/pages-basic/middleware.ts` (+8 -0) 📝 `tests/pages-router.test.ts` (+16 -0) </details> ### 📄 Description ### Motivation - A codegen change began stripping every `x-middleware-*` header from middleware responses, which removed `x-middleware-request-*` headers that `NextResponse.next()` uses to forward middleware-modified request headers to the production server, enabling header spoofing regressions. ### Description - Updated the generated `runMiddleware` code in `packages/vinext/src/index.ts` to preserve `x-middleware-request-*` headers while continuing to strip other `x-middleware-*` internal routing headers in both `NextResponse.next()` and rewrite handling. - Added a regression assertion in `tests/deploy.test.ts` to verify the generated Pages Router worker entry still contains the `x-middleware-request-*` unpacking logic (`const mwReqPrefix = "x-middleware-request-"` and `key.startsWith(mwReqPrefix)`). - Changes are minimal and aimed only at ensuring middleware request-overrides are available to the prod request override logic before internal headers are removed from client responses. ### Testing - Ran `pnpm test tests/deploy.test.ts`, which passed (155 tests, 0 failures). - During investigation I exercised `pnpm test` against the Pages Router middleware path to reproduce the regression; that targeted test helped validate behavior while iterating on the fix (used for debugging), and the final regression coverage is enforced by `tests/deploy.test.ts` as noted above. ------ [Codex Task](https://chatgpt.com/codex/tasks/task_e_69a1f620ec0c8323bc91ba1544d72df1) --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>