mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-23 03:41:45 +00:00
apimachinery/pkg/util/proxy: escape forwarded URI
Escape the forwarded URI set in the round-tripper to prevent any kind of malicious injection into the "X-Forwarded-Uri" header. Signed-off-by: Damien Grisonnet <dgrisonn@redhat.com>
This commit is contained in:
parent
4fcfc58d1b
commit
6b368c5031
@ -83,7 +83,7 @@ type Transport struct {
|
||||
// RoundTrip implements the http.RoundTripper interface
|
||||
func (t *Transport) RoundTrip(req *http.Request) (*http.Response, error) {
|
||||
// Add reverse proxy headers.
|
||||
forwardedURI := path.Join(t.PathPrepend, req.URL.Path)
|
||||
forwardedURI := path.Join(t.PathPrepend, req.URL.EscapedPath())
|
||||
if strings.HasSuffix(req.URL.Path, "/") {
|
||||
forwardedURI = forwardedURI + "/"
|
||||
}
|
||||
|
@ -197,6 +197,14 @@ func TestProxyTransport(t *testing.T) {
|
||||
contentType: "text/html",
|
||||
forwardedURI: "/proxy/node/node1:10250/logs/log.log",
|
||||
},
|
||||
"forwarded URI must be escaped": {
|
||||
input: "<html></html>",
|
||||
sourceURL: "http://mynode.com/logs/log.log%00<script>alert(1)</script>",
|
||||
transport: testTransport,
|
||||
output: "<html></html>",
|
||||
contentType: "text/html",
|
||||
forwardedURI: "/proxy/node/node1:10250/logs/log.log%00%3Cscript%3Ealert%281%29%3C/script%3E",
|
||||
},
|
||||
}
|
||||
|
||||
testItem := func(name string, item *Item) {
|
||||
|
Loading…
Reference in New Issue
Block a user