Heimdall handles URL-encoded slashes (%2F) in a case-sensitive manner, while percent-encoding is defined to be case-insensitive. As a result, the lowercase equivalent (%2f) is not recognized and therefore not processed as expected when allow_encoded_slashes is set to off (the default setting).
This discrepancy can lead to differences in how request paths are interpreted by heimdall and upstream components, which may result in authorization bypass.
Note: The issue can only lead to unintended access if heimdall is configured with an "allow all" default rule. Since v0.16.0, heimdall enforces secure defaults and refuses to start with such a configuration unless this enforcement is explicitly disabled (e.g. via --insecure-skip-secure-default-rule-enforcement or the broader --insecure flag).
Consider the following rule configuration:
id: rule-1
match:
routes:
- path: /admin/**
execute: # configured to require authentication and authorization
# ...
If an adversary sends a request such as /admin%2fsecret, neither is the above rule matched, nor is the request rejected (as would be expected when allow_encoded_slashes is set to off). Instead, the default rule (if configured) will be executed.
If the configured default rule is overly permissive (e.g. allowing anonymous access), and the upstream service interprets %2f as a path separator, the request may ultimately be processed as /admin/secret.
This results in the request being authorized based on a different path than the one processed by the upstream service, leading to authorization bypass.
Bypass of access control policies enforced by heimdall may lead to the following consequences:
###...
0.17.14Exploitability
AV:NAC:LAT:NPR:NUI:NVulnerable System
VC:NVI:NVA:NSubsequent System
SC:HSI:HSA:N7.8/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N