Add UpstreamHostOverride support for plugins and enhance reverse proxy handling

[sedkis]

User description

• Introduced UpstreamHostOverride constant in ctx package for plugin use.
• Implemented logic in reverse_proxy.go to allow plugins to override upstream host or URL.
• Added a new test file for URL redirect plugin to demonstrate UpstreamHostOverride functionality.

Description

Adds a new context that is settable from custom go plugin. THis allows URL overwrites.

Motivation and Context

• Being able to set the host dynamically depending on conditions is a common use case. This allows an operator to run a set of business logic rules and then set a new hostname as needed.

How This Has Been Tested

Unit Tests and Manual testing of scenario. The included custom plugin example is set and used.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• [X ] New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Refactoring or add test (improvements in base code or adds test coverage to functionality)

Checklist

• I ensured that the documentation is up to date
• I explained why this PR updates go.mod in detail with reasoning why it's required
• I would like a code coverage CI quality gate exception and have explained why

---

PR Type

Enhancement, Tests

---

Description

• Add context key UpstreamHostOverride

• Allow plugins to override upstream host/URL

• Preserve host header based on overridden URL

• Add sample plugin for header-based routing

---

Diagram Walkthrough

flowchart LR
  Ctx["ctx.UpstreamHostOverride key"] -- "set by plugin" --> ReqCtx["Request Context"]
  ReqCtx -- "read in" --> RP["Reverse Proxy Director"]
  RP -- "override scheme/host" --> URL["Request URL"]
  URL -- "reflect in" --> HostHeader["Host header (if not preserved)"]

Loading

File Walkthrough

	Relevant files
Enhancement	ctx.go Introduce UpstreamHostOverride context key                              ctx/ctx.go Add UpstreamHostOverride context key. Document usage for plugin-driven host override. +2/-0      reverse_proxy.go Reverse proxy supports context-based upstream override      gateway/reverse_proxy.go Read ctx.UpstreamHostOverride from request context. Parse and apply full URL or host overrides. Update Host header to follow overridden URL when not preserved. +20/-1
Tests	url_redirect_plugin.go Example plugin for header-based upstream override                test/goplugins/url_redirect_plugin.go Add example plugin reading X-Route-To header. Sets ctx.UpstreamHostOverride in request context. Logs applied override for visibility. +29/-0

---

[buger]

A JIRA Issue ID is missing from your branch name, PR title and PR description! 🦄

Your branch: feat/add-dynamic-host-rewrite-from-plugins

Your PR title: Add UpstreamHostOverride support for plugins and enhance reverse proxy handling

Your PR description: - Introduced UpstreamHostOverride constant in ctx package for plugin use. - Implemented logic in reverse_proxy.go to allow plugins to override upstream host or URL. - Added a new test file for URL redirect plugin to demonstrate UpstreamHostOverride functionality.

Description

Adds a new context that is settable from custom go plugin. THis allows URL overwrites.

Motivation and Context

• Being able to set the host dynamically depending on conditions is a common use case. This allows an operator to run a set of business logic rules and then set a new hostname as needed.

How This Has Been Tested

Unit Tests and Manual testing of scenario. The included custom plugin example is set and used.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• [X ] New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Refactoring or add test (improvements in base code or adds test coverage to functionality)

Checklist

• I ensured that the documentation is up to date
• I explained why this PR updates go.mod in detail with reasoning why it's required
• I would like a code coverage CI quality gate exception and have explained why

If this is your first time contributing to this repository - welcome!

---

Please refer to jira-lint to get started.

Without the JIRA Issue ID in your branch name you would lose out on automatic updates to JIRA via SCM; some GitHub status checks might fail.

Valid sample branch names:

‣ feature/shiny-new-feature--mojo-10'
‣ 'chore/changelogUpdate_mojo-123'
‣ 'bugfix/fix-some-strange-bug_GAL-2345'

[github-actions]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 2 🔵🔵⚪⚪⚪

🧪 No relevant tests

🔒 Security concerns SSRF risk: Allowing plugins (and the sample plugin via user-controlled header) to set an arbitrary upstream host/URL can enable server-side request forgery if not constrained. Recommend validating allowed schemes (http/https), enforcing a whitelist/allowlist of hosts or CIDR blocks, and rejecting private/internal IP ranges. Additionally, sanitize/validate the override string to avoid userinfo or path injection.

⚡ Recommended focus areas for review Validation Needed The upstream override accepts arbitrary strings and only checks for "://". Consider validating/normalizing the host (e.g., punycode/IDNA, disallow spaces, ensure no path/userinfo injected) and handling invalid parses explicitly to avoid silently using an unexpected target. // Simple upstream host override from plugins via context. // Accepts either a host (e.g. "api.example.com") or full URL (e.g. "https://api.example.com"). if v := req.Context().Value(ctx.UpstreamHostOverride); v != nil { if hostOrURL, ok := v.(string); ok && hostOrURL != "" { if strings.Contains(hostOrURL, "://") { if u, err := url.Parse(hostOrURL); err == nil { if u.Scheme != "" { req.URL.Scheme = u.Scheme } if u.Host != "" { req.URL.Host = u.Host } } } else { req.URL.Host = hostOrURL } } } Host Header Behavior When PreserveHostHeader is false, Host is set from req.URL.Host post-override. Confirm this matches desired behavior for both plain host and full URL overrides and won't break upstreams relying on original Host; consider logging the final host for traceability. if !spec.Proxy.PreserveHostHeader { req.Host = req.URL.Host } Plugin Input Trust The plugin routes based on an unvalidated header value. Ensure production guidance or safeguards exist to prevent SSRF/open redirect-style misuse; consider whitelisting allowed hosts/schemes in examples. func HeaderBasedRedirect(rw http.ResponseWriter, r *http.Request) { routeTo := r.Header.Get("X-Route-To") if routeTo == "" { return } logger.Info("[PLUGIN] X-Route-To header: ", routeTo) // Use the UpstreamHostOverride context key // This can be either a host or a full URL newCtx := context.WithValue(r.Context(), ctx.UpstreamHostOverride, routeTo) *r = *r.WithContext(newCtx) logger.Info("[PLUGIN] Set UpstreamHostOverride to: ", routeTo) }

[github-actions]

API Changes

--- prev.txt	2025-08-09 14:36:48.489103326 +0000
+++ current.txt	2025-08-09 14:36:38.361060913 +0000
@@ -3286,13 +3286,6 @@
 }
     JSVMEvent represents a JavaScript VM event configuration for event handlers.
 
-type JTIValidation struct {
-	// Enabled indicates whether JWT ID claim is required.
-	// When true, tokens must include a 'jti' claim.
-	Enabled bool `bson:"enabled" json:"enabled"`
-}
-    JTIValidation contains the configuration for the validation of the JWT ID.
-
 type JWT struct {
 	// Enabled activates the basic authentication mode.
 	//
@@ -3321,10 +3314,6 @@
 	// Tyk classic API definition: `jwt_identity_base_field`
 	IdentityBaseField string `bson:"identityBaseField,omitempty" json:"identityBaseField,omitempty"`
 
-	// SubjectClaims specifies a list of claims that can be used to identity the subject of the JWT.
-	// The field is an OAS only field and is only used in OAS APIs.
-	SubjectClaims []string `bson:"subjectClaims,omitempty" json:"subjectClaims,omitempty"`
-
 	// SkipKid controls skipping using the `kid` claim from a JWT (default behaviour).
 	// When this is true, the field configured in IdentityBaseField is checked first.
 	//
@@ -3337,11 +3326,6 @@
 	// Tyk classic API definition: `jwt_policy_field_name`
 	PolicyFieldName string `bson:"policyFieldName,omitempty" json:"policyFieldName,omitempty"`
 
-	// BasePolicyClaims specifies a list of claims from which the base PolicyID is extracted.
-	// The policy is applied to the session as a base policy.
-	// The field is an OAS only field and is only used in OAS APIs.
-	BasePolicyClaims []string `bson:"basePolicyClaims,omitempty" json:"basePolicyClaims,omitempty"`
-
 	// ClientBaseField is used when PolicyFieldName is not provided. It will get
 	// a session key and use the policies from that. The field ensures that requests
 	// use the same session.
@@ -3372,21 +3356,6 @@
 	// Tyk classic API definition: `jwt_expires_at_validation_skew`.
 	ExpiresAtValidationSkew uint64 `bson:"expiresAtValidationSkew,omitempty" json:"expiresAtValidationSkew,omitempty"`
 
-	// AllowedIssuers contains a list of accepted issuers for JWT validation.
-	// When configured, the JWT's issuer claim must match one of these values.
-	AllowedIssuers []string `bson:"allowedIssuers,omitempty" json:"allowedIssuers,omitempty"`
-
-	// AllowedAudiences contains a list of accepted audiences for JWT validation.
-	// When configured, the JWT's audience claim must match one of these values.
-	AllowedAudiences []string `bson:"allowedAudiences,omitempty" json:"allowedAudiences,omitempty"`
-
-	// JTIValidation contains the configuration for the validation of the JWT ID.
-	JTIValidation JTIValidation `bson:"jtiValidation,omitempty" json:"jtiValidation,omitempty"`
-
-	// AllowedSubjects contains a list of accepted subjects for JWT validation.
-	// When configured, the subject from kid/identityBaseField/sub must match one of these values.
-	AllowedSubjects []string `bson:"allowedSubjects,omitempty" json:"allowedSubjects,omitempty"`
-
 	// IDPClientIDMappingDisabled prevents Tyk from automatically detecting the use of certain IDPs based on standard claims
 	// that they include in the JWT: `client_id`, `cid`, `clientId`. Setting this flag to `true` disables the mapping and avoids
 	// accidentally misidentifying the use of one of these IDPs if one of their standard values is configured in your JWT.
@@ -3611,8 +3580,6 @@
 func (s *OAS) Fill(api apidef.APIDefinition)
     Fill fills *OAS definition from apidef.APIDefinition.
 
-func (s *OAS) GetJWTConfiguration() *JWT
-
 func (s *OAS) GetTykExtension() *XTykAPIGateway
     GetTykExtension returns our OAS schema extension from inside *OAS.
 
@@ -4200,11 +4167,6 @@
 	// - For JWT: `scopes.jwt.scope_claim_name`
 	ClaimName string `bson:"claimName,omitempty" json:"claimName,omitempty"`
 
-	// Claims contains a list of claims that contains the claim name.
-	// The first match from the list of claims in the token is used.
-	// OAS only field applied to OAS apis.
-	Claims []string `bson:"claims,omitempty" json:"claims,omitempty"`
-
 	// ScopeToPolicyMapping contains the mappings of scopes to policy IDs.
 	//
 	// Tyk classic API definition:
@@ -4784,7 +4746,7 @@
 
 	// Negate is a boolean negation operator. Setting it to true inverts the matching behaviour
 	// such that the rewrite will be triggered if the value does not match the `pattern` for this rule.
-	Negate bool `bson:"negate,omitempty" json:"negate,omitempty"`
+	Negate bool `bson:"negate" json:"negate"`
 }
     URLRewriteRule represents a rewrite
     matching rules. Tyk classic API definition:
@@ -7809,6 +7771,8 @@
 	CacheOptions
 	OASDefinition
 	SelfLooping
+	// Used by plugins to override the upstream host
+	UpstreamHostOverride
 )
 # Package: ./dlpython
 
@@ -8545,9 +8509,6 @@
 	HMACSign  = "hmac"
 	RSASign   = "rsa"
 	ECDSASign = "ecdsa"
-	ISS       = "iss"
-	AUD       = "aud"
-	JTI       = "jti"
 )
 const (
 	ErrOAuthAuthorizationFieldMissing   = "oauth.auth_field_missing"
@@ -8634,7 +8595,6 @@
 var (
 	ErrNoSuitableUserIDClaimFound = errors.New("no suitable claims for user ID were found")
 	ErrEmptyUserIDInSubClaim      = errors.New("found an empty user ID in sub claim")
-	ErrEmptyUserIDInClaim         = errors.New("found an empty user ID in predefined base claim")
 )
 var (
 	ErrSyncResourceNotKnown = errors.New("unknown resource to sync")
@@ -13599,6 +13559,7 @@
 
 FUNCTIONS
 
+func HeaderBasedRedirect(rw http.ResponseWriter, r *http.Request)
 func MyAnalyticsPluginDeleteHeader(record *analytics.AnalyticsRecord)
 func MyAnalyticsPluginMaskJSONLoginBody(record *analytics.AnalyticsRecord)
 func MyPluginAccessingOASAPI(rw http.ResponseWriter, r *http.Request)

[github-actions]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Security	Harden and sanitize URL overrides Validate that the value is a safe, absolute URL when a scheme is present, and reject opaque or path-only URLs to prevent SSRF or malformed upstreams. Also, update req.URL.Path when a full URL is supplied to avoid mixing old path segments with a new host. gateway/reverse_proxy.go [298-313] if v := req.Context().Value(ctx.UpstreamHostOverride); v != nil { if hostOrURL, ok := v.(string); ok && hostOrURL != "" { if strings.Contains(hostOrURL, "://") { - if u, err := url.Parse(hostOrURL); err == nil { - if u.Scheme != "" { - req.URL.Scheme = u.Scheme - } - if u.Host != "" { - req.URL.Host = u.Host + if u, err := url.Parse(hostOrURL); err == nil && u.Scheme != "" && u.Host != "" && !u.Opaque { + req.URL.Scheme = u.Scheme + req.URL.Host = u.Host + // Ensure path consistency when full URL is provided + if u.Path != "" { + req.URL.Path = singleJoiningSlash(u.Path, req.URL.Path, spec.Proxy.DisableStripSlash) + if req.URL.RawPath != "" { + req.URL.RawPath = singleJoiningSlash(u.Path, req.URL.RawPath, spec.Proxy.DisableStripSlash) + } } } } else { - req.URL.Host = hostOrURL + // Basic host override; ensure no scheme or slashes are present + if !strings.Contains(hostOrURL, "/") { + req.URL.Host = hostOrURL + } } } } Suggestion importance[1-10]: 7 __ Why: Strengthening parsing to avoid opaque URLs and ensuring path/rawpath consistency reduces SSRF/malformed URL risks and path mixing. It’s accurate to the new hunk and improves robustness, though not strictly critical.	Medium
Possible issue	Guard against empty Host header Ensure req.URL.Host is non-empty before assigning to req.Host to avoid sending an empty Host header on malformed overrides. Fall back to targetToUse.Host when the override did not set a valid host. gateway/reverse_proxy.go [315-317] if !spec.Proxy.PreserveHostHeader { - req.Host = req.URL.Host + host := req.URL.Host + if host == "" { + host = targetToUse.Host + } + req.Host = host } Suggestion importance[1-10]: 6 __ Why: Adding a fallback prevents sending an empty Host if override parsing yields no host, which is a reasonable safety improvement aligned with the PR change to set req.Host from req.URL.Host.	Low
General	Safer request context update Avoid reassigning the dereferenced request in-place, which can be error-prone with shared references. Instead, return or use the new request from WithContext directly when passing to downstream handlers. test/goplugins/url_redirect_plugin.go [23-24] -newCtx := context.WithValue(r.Context(), ctx.UpstreamHostOverride, routeTo) -*r = *r.WithContext(newCtx) +newReq := r.WithContext(context.WithValue(r.Context(), ctx.UpstreamHostOverride, routeTo)) +*r = *newReq Suggestion importance[1-10]: 4 __ Why: The change is a minor style/clarity tweak; both patterns copy the request struct. It’s valid but has limited impact on correctness given this simple plugin.	Low

[github-actions]

📦 Impact Review Snapshot

Effort	Downstream Updates	Compatibility	Docs	TL;DR
Low	✅	🟢	⚠️	New plugin capability to override upstream hosts needs documentation

## Impact Assessment

This PR adds a new context key UpstreamHostOverride and enhances the reverse proxy to allow plugins to dynamically override upstream hosts or URLs. The implementation is self-contained within the Tyk Gateway and doesn't modify any API schemas, configurations, or protocols used by downstream repositories.

## Required Updates

No immediate updates required in downstream repositories as this is an additive feature that doesn't break existing functionality. However, documentation should be updated to reflect this new capability for plugin developers.

## Compatibility Concerns

The feature is implemented in a backward-compatible way. Existing plugins will continue to work as before, and only plugins that explicitly use the new context key will leverage this functionality. The implementation preserves the Host header behavior based on the PreserveHostHeader setting, maintaining compatibility with existing configurations.

## Summary & Recommendations

• Documentation should be updated to describe this new plugin capability, including security considerations for allowing arbitrary host overrides
• Consider adding validation to prevent potential SSRF attacks by restricting the hosts/URLs that can be specified
• The example plugin uses an unvalidated header value (X-Route-To), which could be a security risk if used in production without proper validation

---

Tip: Mention me again using /dependency <request>.
Powered by Probe AI
Tyk Gateway Dependency Impact Reviewer

[github-actions]

🛡️ Security Snapshot

Effort	Risk Level	Tests	Compliance	TL;DR
Low	🔴	⚠️	❔	Introduces SSRF risk by allowing plugins to redirect requests to arbitrary hosts without validation

## Security Impact Analysis

This PR introduces a new context key UpstreamHostOverride that allows plugins to dynamically override the upstream host or URL for requests. The implementation accepts either a host (e.g., "api.example.com") or a full URL (e.g., "https://api.example.com") without validation. The feature is powerful for legitimate use cases but introduces significant security risks if misused, as it could allow redirection to arbitrary internal or external hosts.

The implementation lacks critical safeguards such as host validation, allowlisting, or network restrictions, which are essential when implementing dynamic routing capabilities. The sample plugin demonstrates using an HTTP header value directly to control routing, which compounds the risk by exposing this control to potentially untrusted client input.

## Identified Vulnerabilities

High Severity:

• Server-Side Request Forgery (SSRF): The implementation allows redirection to arbitrary hosts without validation, potentially enabling attackers to reach internal services or metadata endpoints (e.g., cloud provider metadata services).
• Lack of Input Validation: No sanitization or validation of the host/URL string before parsing and using it, which could lead to unexpected behavior or security bypasses.

Medium Severity:

• Header-Based Routing Control: The sample plugin reads the X-Route-To header directly without validation, allowing client-controlled request routing.
• No Host Allowlist: No mechanism to restrict which hosts can be targeted, allowing potential pivoting to any accessible network.

Low Severity:

• Insufficient Logging: While basic logging is implemented in the sample plugin, there's no audit logging of host overrides in the core functionality, making it difficult to detect abuse.

## Security Recommendations

1. Implement Host Validation:

   • Add validation to reject private/internal IP ranges (127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, etc.)
   • Validate and normalize hostnames to prevent IDN homograph attacks

2. Add Host Allowlisting:

   • Implement a configurable allowlist of permitted hosts/domains
   • Consider CIDR-based network restrictions for allowed targets

3. Enhance the Sample Plugin:

   • Add validation to the X-Route-To header value
   • Document security best practices for using this feature
   • Consider requiring a signature or other verification for the header

4. Improve Error Handling:

   • Add explicit error handling for URL parsing failures
   • Log attempts to use invalid or disallowed hosts

5. Add Audit Logging:

   • Log all host override operations with source plugin information
   • Consider marking these events as security-relevant for monitoring

## OWASP Compliance

• A1:2021 - Broken Access Control: The feature could bypass intended access controls by redirecting requests to unintended hosts.
• A10:2021 - Server-Side Request Forgery: The implementation directly enables SSRF by allowing redirection to arbitrary hosts without validation.
• A3:2021 - Injection: While not a traditional injection, the header-based routing in the sample plugin could be considered a form of injection if not properly validated.
• A7:2021 - Identification and Authentication Failures: The feature could potentially be used to bypass authentication by redirecting to hosts with different authentication requirements.

## Summary

• The PR introduces a powerful feature for dynamic routing but with significant security implications
• The lack of host validation, allowlisting, and network restrictions creates a high risk of SSRF attacks
• The sample plugin demonstrates an insecure pattern of using client-controlled headers for routing
• Recommend implementing strict validation, allowlisting, and audit logging before merging

---

Tip: Mention me again using /security <request>.
Powered by Probe AI
Security Impact Reviewer Prompt

[github-actions]

🚦 Connectivity Review Snapshot

Effort	Tests	Security	Perf	TL;DR
🔵⚪⚪	✅	🔒 none	🟢	Safe addition of plugin-based upstream host override with no impact on core connectivity

## Connectivity Assessment

• Redis Connections: No impact on Redis connectivity. The feature operates entirely at the HTTP request routing level and doesn't modify any Redis operations or storage patterns.
• RPC Connections: No impact on RPC connections. The feature doesn't interact with the MDCB mode or any RPC communication channels.
• Synchronization Mechanisms: No changes to pub/sub or notification mechanisms. The host override happens during request processing and doesn't affect configuration synchronization.

## Test Coverage Validation

• Redis Tests: Not applicable as the feature doesn't interact with Redis.
• RPC Tests: Not applicable as the feature doesn't interact with RPC systems.
• Failure Scenario Tests: The example plugin provides basic validation, but additional tests would be valuable to verify behavior when invalid URLs or hosts are provided.

## Security & Performance Impact

• Authentication Changes: No authentication changes. The feature operates after authentication in the request processing pipeline.
• Performance Considerations: Minimal performance impact. The URL parsing only occurs when a plugin explicitly sets the context value.
• Error Handling: URL parsing errors are silently ignored, which is appropriate for this use case as it falls back to the original target.

## Summary & Recommendations

• The implementation is clean and focused, adding a useful capability for plugins to dynamically control upstream routing.
• The feature properly handles both host-only and full URL overrides.
• No suggestions to provide – change LGTM.

---

Tip: Mention me again using /connectivity <request>.
Powered by Probe AI
Connectivity Issues Reviewer Prompt for Tyk Gateway

[github-actions]

🚀 Performance Snapshot

Effort	Perf Risk	Hot Paths	Benchmarks	TL;DR
Low	🟡	⚠️	❔	Adds context lookup and URL parsing in the critical request path

## Performance Impact Analysis

The PR introduces a context-based mechanism for plugins to override upstream hosts/URLs. This adds a context lookup in the reverse proxy director function, which is in the critical path for all requests. When the context value is present, additional string operations and potentially URL parsing are performed. The impact is minimal for requests without the override, but could be noticeable for high-throughput APIs using this feature, especially with complex URL overrides requiring parsing.

## Critical Areas

The main performance-sensitive area is the reverse proxy director function, which handles every request. The added code introduces conditional logic that executes for all requests (context lookup) with additional processing when the override is present. URL parsing is particularly expensive if performed frequently, though it only occurs when full URLs with schemes are provided as overrides.

## Optimization Recommendations

1. Consider caching parsed URLs if the same override value is used repeatedly across requests.
2. The URL parsing could be optimized by using a more lightweight approach when only scheme and host are needed.
3. Add metrics to track how frequently this feature is used and its impact on request processing time.
4. Consider pre-validating override URLs in plugins to avoid parsing errors in the hot path.

## Summary

• The change adds minimal overhead for requests without overrides (just a context lookup)
• For requests with overrides, URL parsing introduces moderate overhead
• The feature is conditionally executed, limiting impact to only requests using it
• Consider adding validation to prevent SSRF risks from arbitrary URL overrides
• No suggestions to provide – change LGTM.

---

Tip: Mention me again using /performance <request>.
Powered by Probe AI
Performance Impact Reviewer Prompt