From 5f2e5f76ea24e769957513a03766dd04505a7fcf Mon Sep 17 00:00:00 2001
From: David Eliahu <deliahu@users.noreply.github.com>
Date: Mon, 23 Mar 2020 18:09:13 -0700
Subject: [PATCH] Update auth header validation

---
 pkg/operator/endpoints/middleware.go | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/pkg/operator/endpoints/middleware.go b/pkg/operator/endpoints/middleware.go
index cbe9664616..d61a11c8cf 100644
--- a/pkg/operator/endpoints/middleware.go
+++ b/pkg/operator/endpoints/middleware.go
@@ -67,11 +67,16 @@ func AuthMiddleware(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		authHeader := r.Header.Get("Authorization")
 
-		if !strings.HasPrefix(authHeader, "CortexAWS") {
+		if authHeader == "" {
 			respondError(w, r, ErrorAuthHeaderMissing())
 			return
 		}
 
+		if len(authHeader) < 10 || !strings.HasPrefix(authHeader, "CortexAWS") {
+			respondError(w, r, ErrorAuthHeaderMalformed())
+			return
+		}
+
 		parts := strings.Split(authHeader[10:], "|")
 		if len(parts) != 2 {
 			respondError(w, r, ErrorAuthHeaderMalformed())