From ceea98db382e1d11339e0d1a7deef7f20fdb582e Mon Sep 17 00:00:00 2001
From: Dorian Niemiec <dorian.niemiec@svrjs.org>
Date: Wed, 22 Jan 2025 09:49:58 +0100
Subject: [PATCH] fix: fix bug with Host header not sent to ModSecurity for
 HTTP/2 requests

---
 src/index.js | 30 +++++++++++++++++++++++-------
 1 file changed, 23 insertions(+), 7 deletions(-)

diff --git a/src/index.js b/src/index.js
index d86c8da..1a00435 100644
--- a/src/index.js
+++ b/src/index.js
@@ -421,16 +421,32 @@ module.exports = (req, res, logFacilities, config, next) => {
       return processIntervention();
     }
 
-    let key = null;
-    req.rawHeaders.forEach((v) => {
-      if (key === null) {
-        key = v;
-      } else {
-        transaction.addRequestHeader(key, v);
-        key = null;
+    let headerIntervene = false;
+    Object.keys(req.headers).every((key) => {
+      if (typeof req.headers[key] == "string") {
+        securityResponse = transaction.addResponseHeader(key, req.headers[key]);
+        if (typeof securityResponse === "object") {
+          headerIntervene = true;
+          return false;
+        }
+      } else if (Array.isArray(req.headers[key])) {
+        req.headers[key].every((value) => {
+          securityResponse = transaction.addResponseHeader(key, value);
+          if (typeof securityResponse === "object") {
+            headerIntervene = true;
+            return false;
+          }
+          return true;
+        });
+        if (headerIntervene) return false;
       }
+      return true;
     });
 
+    if (headerIntervene) {
+      return processIntervention();
+    }
+
     securityResponse = transaction.processRequestHeaders();
     if (typeof securityResponse === "object") {
       return processIntervention();