Merge pull request #112526 from liggitt/redirect

Limit redirect proxy handling to redirected responses
2025-07-21 02:41:25 +00:00 · 2022-09-16 19:34:29 -07:00 · 2022-09-16 19:34:29 -07:00 · 4ff1369641
commit 4ff1369641
parent 3e5e5cc7ee a7e079680a
2 changed files with 22 additions and 1 deletions
--- a/staging/src/k8s.io/apimachinery/pkg/util/proxy/upgradeaware.go
+++ b/staging/src/k8s.io/apimachinery/pkg/util/proxy/upgradeaware.go
@ -263,7 +263,7 @@ func (h *UpgradeAwareHandler) ServeHTTP(w http.ResponseWriter, req *http.Request
 		oldModifyResponse := proxy.ModifyResponse
 		proxy.ModifyResponse = func(response *http.Response) error {
 			code := response.StatusCode
-			if code >= 300 && code <= 399 {
+			if code >= 300 && code <= 399 && len(response.Header.Get("Location")) > 0 {
 				// close the original response
 				response.Body.Close()
 				msg := "the backend attempted to redirect this request, which is not permitted"
--- a/staging/src/k8s.io/apimachinery/pkg/util/proxy/upgradeaware_test.go
+++ b/staging/src/k8s.io/apimachinery/pkg/util/proxy/upgradeaware_test.go
@ -710,6 +710,7 @@ func TestRejectForwardingRedirectsOption(t *testing.T) {
 		name                      string
 		rejectForwardingRedirects bool
 		serverStatusCode          int
+		redirect                  string
 		expectStatusCode          int
 		expectBody                []byte
 	}{
@ -724,9 +725,25 @@ func TestRejectForwardingRedirectsOption(t *testing.T) {
 			name:                      "reject redirection enabled in proxy, backend server sending 301 response",
 			rejectForwardingRedirects: true,
 			serverStatusCode:          301,
+			redirect:                  "/",
 			expectStatusCode:          502,
 			expectBody:                []byte(`the backend attempted to redirect this request, which is not permitted`),
 		},
+		{
+			name:                      "reject redirection enabled in proxy, backend server sending 304 response with a location header",
+			rejectForwardingRedirects: true,
+			serverStatusCode:          304,
+			redirect:                  "/",
+			expectStatusCode:          502,
+			expectBody:                []byte(`the backend attempted to redirect this request, which is not permitted`),
+		},
+		{
+			name:                      "reject redirection enabled in proxy, backend server sending 304 response with no location header",
+			rejectForwardingRedirects: true,
+			serverStatusCode:          304,
+			expectStatusCode:          304,
+			expectBody:                []byte{}, // client doesn't read the body for 304 responses
+		},
 		{
 			name:                      "reject redirection disabled in proxy, backend server sending 200 response",
 			rejectForwardingRedirects: false,
@ -738,6 +755,7 @@ func TestRejectForwardingRedirectsOption(t *testing.T) {
 			name:                      "reject redirection disabled in proxy, backend server sending 301 response",
 			rejectForwardingRedirects: false,
 			serverStatusCode:          301,
+			redirect:                  "/",
 			expectStatusCode:          301,
 			expectBody:                originalBody,
 		},
@ -746,6 +764,9 @@ func TestRejectForwardingRedirectsOption(t *testing.T) {
 		t.Run(tc.name, func(t *testing.T) {
 			// Set up a backend server
 			backendServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				if tc.redirect != "" {
+					w.Header().Set("Location", tc.redirect)
+				}
 				w.WriteHeader(tc.serverStatusCode)
 				w.Write(originalBody)
 			}))