Annotations: Quote auth proxy headers. #13371
Conversation
|
Hi @jkroepke. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
✅ Deploy Preview for kubernetes-ingress-nginx canceled.
|
✅ Deploy Preview for kubernetes-ingress-nginx canceled.
|
There was a problem hiding this comment.
/triage accepted
/kind bug
/priority backlog
/hold
If you're concerned about code injection, I'd rather quote the value here as we already did here. Annotation validation is optional and can be turned off. Also your regular expression might break existing deployments, which then leads to people turning off annotation validation.
f48a0e8 to
15ee736
Compare
ecb7737 to
748cf6c
Compare
|
Hi @Gacko thanks for your review. Please take a look. I may ask if using gos sprintf |
748cf6c to
1ee9740
Compare
1ee9740 to
7ab707e
Compare
| @@ -619,8 +619,13 @@ func buildAuthProxySetHeaders(headers map[string]string) []string { | |||
| } | |||
|
|
|||
| for name, value := range headers { | |||
| res = append(res, fmt.Sprintf("proxy_set_header '%v' '%v';", name, value)) | |||
| if strings.ContainsAny(name, "\n\r") || strings.ContainsAny(value, "\n\r") { | |||
There was a problem hiding this comment.
I think newlines ain't an issue as long as they are quoted.
There was a problem hiding this comment.
Also because this would be a breaking change and I'd like to back-port this to the release branches.
There was a problem hiding this comment.
As I know, header fields over multiple lines are deprecated in RFC 7230 and in this context (auth proxy set headers), there is known situation where a new line is used as for an request header.
However, if you wish, I can remove this restriction.
There was a problem hiding this comment.
I'm less worried about the newline in the header being sent to the auth backend. What we should fix here is the possibility of injecting code in the NGINX configuration.
I don't think there is much of a difference in the result and it's mostly about how you're using them - as in: You don't need to use The only real difference I see is, that |
7ab707e to
5b9be69
Compare
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Gacko, jkroepke The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
I implemented the suggested changes, so we can still have this in the next patch release. As stated above, I removed the filtering for |
|
/cherry-pick release-1.13 |
|
/cherry-pick release-1.12 |
|
@Gacko: new pull request created: #13708 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@Gacko: new pull request created: #13709 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
What this PR does / why we need it:
Validate the values inside a config map linked by the
auth-proxy-set-headersannotation.Types of changes
Which issue/s this PR fixes
How Has This Been Tested?
Locally, manually.
Checklist: