apimachinery/pkg/util/proxy: escape forwarded URI

Escape the forwarded URI set in the round-tripper to prevent any kind of
malicious injection into the "X-Forwarded-Uri" header.

Signed-off-by: Damien Grisonnet <dgrisonn@redhat.com>
This commit is contained in:
Damien Grisonnet 2021-11-18 11:40:42 +01:00
parent 4fcfc58d1b
commit 6b368c5031
2 changed files with 9 additions and 1 deletions

View File

@ -83,7 +83,7 @@ type Transport struct {
// RoundTrip implements the http.RoundTripper interface
func (t *Transport) RoundTrip(req *http.Request) (*http.Response, error) {
// Add reverse proxy headers.
forwardedURI := path.Join(t.PathPrepend, req.URL.Path)
forwardedURI := path.Join(t.PathPrepend, req.URL.EscapedPath())
if strings.HasSuffix(req.URL.Path, "/") {
forwardedURI = forwardedURI + "/"
}

View File

@ -197,6 +197,14 @@ func TestProxyTransport(t *testing.T) {
contentType: "text/html",
forwardedURI: "/proxy/node/node1:10250/logs/log.log",
},
"forwarded URI must be escaped": {
input: "<html></html>",
sourceURL: "http://mynode.com/logs/log.log%00<script>alert(1)</script>",
transport: testTransport,
output: "<html></html>",
contentType: "text/html",
forwardedURI: "/proxy/node/node1:10250/logs/log.log%00%3Cscript%3Ealert%281%29%3C/script%3E",
},
}
testItem := func(name string, item *Item) {