From 554ce403e415efd2e1634833ef107d9765d2cea2 Mon Sep 17 00:00:00 2001
From: Clayton Coleman <ccoleman@redhat.com>
Date: Tue, 6 Oct 2015 14:26:29 -0400
Subject: [PATCH] Prevent attach from being served by default via the proxy

---
 docs/man/man1/kubectl-proxy.1            | 2 +-
 docs/user-guide/kubectl/kubectl_proxy.md | 2 +-
 pkg/kubectl/proxy_server.go              | 2 +-
 pkg/kubectl/proxy_server_test.go         | 9 +++++++++
 4 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/docs/man/man1/kubectl-proxy.1 b/docs/man/man1/kubectl-proxy.1
index 4fcb828c667..a8ff3050848 100644
--- a/docs/man/man1/kubectl-proxy.1
+++ b/docs/man/man1/kubectl-proxy.1
@@ -67,7 +67,7 @@ The above lets you 'curl localhost:8001/custom/api/v1/pods'
     Regular expression for HTTP methods that the proxy should reject.
 
 .PP
-\fB\-\-reject\-paths\fP="^/api/.\fI/exec,^/api/.\fP/run"
+\fB\-\-reject\-paths\fP="^/api/.\fI/exec,^/api/.\fP/run,^/api/.*/attach"
     Regular expression for paths that the proxy should reject.
 
 .PP
diff --git a/docs/user-guide/kubectl/kubectl_proxy.md b/docs/user-guide/kubectl/kubectl_proxy.md
index 8b300ea2787..eb24547fb55 100644
--- a/docs/user-guide/kubectl/kubectl_proxy.md
+++ b/docs/user-guide/kubectl/kubectl_proxy.md
@@ -84,7 +84,7 @@ $ kubectl proxy --api-prefix=/k8s-api
       --disable-filter[=false]: If true, disable request filtering in the proxy. This is dangerous, and can leave you vulnerable to XSRF attacks, when used with an accessible port.
   -p, --port=8001: The port on which to run the proxy. Set to 0 to pick a random port.
       --reject-methods="POST,PUT,PATCH": Regular expression for HTTP methods that the proxy should reject.
-      --reject-paths="^/api/.*/exec,^/api/.*/run": Regular expression for paths that the proxy should reject.
+      --reject-paths="^/api/.*/exec,^/api/.*/run,^/api/.*/attach": Regular expression for paths that the proxy should reject.
   -u, --unix-socket="": Unix socket on which to run the proxy.
   -w, --www="": Also serve static files from the given directory under the specified prefix.
   -P, --www-prefix="/static/": Prefix to serve static files under, if static file directory is specified.
diff --git a/pkg/kubectl/proxy_server.go b/pkg/kubectl/proxy_server.go
index 11125023ddc..bfbb9b6a0e3 100644
--- a/pkg/kubectl/proxy_server.go
+++ b/pkg/kubectl/proxy_server.go
@@ -35,7 +35,7 @@ import (
 const (
 	DefaultHostAcceptRE   = "^localhost$,^127\\.0\\.0\\.1$,^\\[::1\\]$"
 	DefaultPathAcceptRE   = "^/.*"
-	DefaultPathRejectRE   = "^/api/.*/exec,^/api/.*/run"
+	DefaultPathRejectRE   = "^/api/.*/exec,^/api/.*/run,^/api/.*/attach"
 	DefaultMethodRejectRE = "POST,PUT,PATCH"
 )
 
diff --git a/pkg/kubectl/proxy_server_test.go b/pkg/kubectl/proxy_server_test.go
index 1f80140a629..cdbf3caf39e 100644
--- a/pkg/kubectl/proxy_server_test.go
+++ b/pkg/kubectl/proxy_server_test.go
@@ -67,6 +67,15 @@ func TestAccept(t *testing.T) {
 			method:       "GET",
 			expectAccept: false,
 		},
+		{
+			acceptPaths:  DefaultPathAcceptRE,
+			rejectPaths:  DefaultPathRejectRE,
+			acceptHosts:  DefaultHostAcceptRE,
+			path:         "/api/v1/pods/foo/attach",
+			host:         "127.0.0.1",
+			method:       "GET",
+			expectAccept: false,
+		},
 		{
 			acceptPaths:  DefaultPathAcceptRE,
 			rejectPaths:  DefaultPathRejectRE,