Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Tighten input validation for requests initiated by the backend #3372

Open
pbochynski opened this issue Oct 4, 2024 · 1 comment · Fixed by #3395 · May be fixed by #3414
Open

Tighten input validation for requests initiated by the backend #3372

pbochynski opened this issue Oct 4, 2024 · 1 comment · Fixed by #3395 · May be fixed by #3414
Assignees
@chriskari
Labels
kind/bug Categorizes issue or PR as related to a bug. security/low Related to CVSSv3 security rating https://www.first.org/cvss/calculator/3.0

Comments

@pbochynski
Copy link
Contributor

pbochynski commented Oct 4, 2024
edited
Loading

Description

Add validation for the following cases:

  • The path currently only needs to start with some specific words. Apart from that it is arbitrary. This could be tightened to only support words / characters that are actually used by the Kubernetes API. For example we can supply two double percent encoded dots: 
    /api/%252e%252e/some_other_path
  • The request method currently can be TRACE (which is not used at all by the Kubernetes API) and OPTIONS and HEAD (which is only used when the path contains proxy)
  • The request can currently contain additional entries for e.g. the forwarded and x-forwarded-for header. These are then merged into the outgoing request and could obfuscate the true origin of the request

Expected result
Malicious request should be rejected with 400 response code
@mrCherry97 mrCherry97 added the kind/bug Categorizes issue or PR as related to a bug. label Oct 7, 2024
@chriskari chriskari self-assigned this Oct 7, 2024
@chriskari chriskari mentioned this issue Oct 10, 2024
Merged
4 tasks
@chriskari chriskari linked a pull request Oct 10, 2024 that will close this issue
fix: tighten backend's request validation #3395
Merged
4 tasks
@TorstenD-SAP TorstenD-SAP added the security/low Related to CVSSv3 security rating https://www.first.org/cvss/calculator/3.0 label Oct 11, 2024
@mrCherry97
Copy link
Contributor

mrCherry97 commented Oct 15, 2024
edited
Loading

Something is not working, and currently, validation is too strict. The backend is throwing 400 all the time.

@mrCherry97 mrCherry97 reopened this Oct 15, 2024
@chriskari chriskari linked a pull request Oct 16, 2024 that will close this issue
Open
4 tasks
@chriskari chriskari linked a pull request Oct 16, 2024 that will close this issue
fix: backend requests in safari & allow more characters in url #3414
Open
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@chriskari chriskari

Labels
kind/bug Categorizes issue or PR as related to a bug. security/low Related to CVSSv3 security rating https://www.first.org/cvss/calculator/3.0
Projects
None yet
Milestone
No milestone
4 participants
@pbochynski @mrCherry97 @TorstenD-SAP @chriskari