apimachinery/pkg/util/proxy: escape forwarded URI

Escape the forwarded URI set in the round-tripper to prevent any kind of malicious injection into the "X-Forwarded-Uri" header. Signed-off-by: Damien Grisonnet <dgrisonn@redhat.com>
2025-07-23 03:41:45 +00:00 · 2021-11-18 11:40:42 +01:00 · 2021-11-18 11:40:42 +01:00 · 6b368c5031
commit 6b368c5031
parent 4fcfc58d1b
2 changed files with 9 additions and 1 deletions
--- a/staging/src/k8s.io/apimachinery/pkg/util/proxy/transport.go
+++ b/staging/src/k8s.io/apimachinery/pkg/util/proxy/transport.go
@ -83,7 +83,7 @@ type Transport struct {
 // RoundTrip implements the http.RoundTripper interface
 func (t *Transport) RoundTrip(req *http.Request) (*http.Response, error) {
 	// Add reverse proxy headers.
-	forwardedURI := path.Join(t.PathPrepend, req.URL.Path)
+	forwardedURI := path.Join(t.PathPrepend, req.URL.EscapedPath())
 	if strings.HasSuffix(req.URL.Path, "/") {
 		forwardedURI = forwardedURI + "/"
 	}
--- a/staging/src/k8s.io/apimachinery/pkg/util/proxy/transport_test.go
+++ b/staging/src/k8s.io/apimachinery/pkg/util/proxy/transport_test.go
@ -197,6 +197,14 @@ func TestProxyTransport(t *testing.T) {
 			contentType:  "text/html",
 			forwardedURI: "/proxy/node/node1:10250/logs/log.log",
 		},
+		"forwarded URI must be escaped": {
+			input:        "<html></html>",
+			sourceURL:    "http://mynode.com/logs/log.log%00<script>alert(1)</script>",
+			transport:    testTransport,
+			output:       "<html></html>",
+			contentType:  "text/html",
+			forwardedURI: "/proxy/node/node1:10250/logs/log.log%00%3Cscript%3Ealert%281%29%3C/script%3E",
+		},
 	}

 	testItem := func(name string, item *Item) {