github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-20 10:20:51 +00:00
Code Issues Projects Releases Wiki Activity

Limit redirect proxy handling to redirected responses

Browse Source
This commit is contained in:
Jordan Liggitt 2022-09-16 21:24:41 -04:00
parent 661899f1a1
commit a7e079680a
No known key found for this signature in database
2 changed files with 22 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
staging/src/k8s.io/apimachinery/pkg/util/proxy/upgradeaware.go
View File

@ -263,7 +263,7 @@ func (h *UpgradeAwareHandler) ServeHTTP(w http.ResponseWriter, req *http.Request
oldModifyResponse := proxy.ModifyResponse oldModifyResponse := proxy.ModifyResponse
proxy.ModifyResponse = func(response *http.Response) error { proxy.ModifyResponse = func(response *http.Response) error {
code := response.StatusCode code := response.StatusCode
if code >= 300 && code <= 399 { if code >= 300 && code <= 399 && len(response.Header.Get("Location")) > 0 {
// close the original response // close the original response
response.Body.Close() response.Body.Close()
msg := "the backend attempted to redirect this request, which is not permitted" msg := "the backend attempted to redirect this request, which is not permitted"

21
staging/src/k8s.io/apimachinery/pkg/util/proxy/upgradeaware_test.go
View File

@ -710,6 +710,7 @@ func TestRejectForwardingRedirectsOption(t *testing.T) {
name string name string
rejectForwardingRedirects bool rejectForwardingRedirects bool
serverStatusCode int serverStatusCode int
redirect string
expectStatusCode int expectStatusCode int
expectBody []byte expectBody []byte
}{ }{
@ -724,9 +725,25 @@ func TestRejectForwardingRedirectsOption(t *testing.T) {
name: "reject redirection enabled in proxy, backend server sending 301 response", name: "reject redirection enabled in proxy, backend server sending 301 response",
rejectForwardingRedirects: true, rejectForwardingRedirects: true,
serverStatusCode: 301, serverStatusCode: 301,
redirect: "/",
expectStatusCode: 502, expectStatusCode: 502,
expectBody: []byte(`the backend attempted to redirect this request, which is not permitted`), expectBody: []byte(`the backend attempted to redirect this request, which is not permitted`),
}, },
{
name: "reject redirection enabled in proxy, backend server sending 304 response with a location header",
rejectForwardingRedirects: true,
serverStatusCode: 304,
redirect: "/",
expectStatusCode: 502,
expectBody: []byte(`the backend attempted to redirect this request, which is not permitted`),
},
{
name: "reject redirection enabled in proxy, backend server sending 304 response with no location header",
rejectForwardingRedirects: true,
serverStatusCode: 304,
expectStatusCode: 304,
expectBody: []byte{}, // client doesn't read the body for 304 responses
},
{ {
name: "reject redirection disabled in proxy, backend server sending 200 response", name: "reject redirection disabled in proxy, backend server sending 200 response",
rejectForwardingRedirects: false, rejectForwardingRedirects: false,
@ -738,6 +755,7 @@ func TestRejectForwardingRedirectsOption(t *testing.T) {
name: "reject redirection disabled in proxy, backend server sending 301 response", name: "reject redirection disabled in proxy, backend server sending 301 response",
rejectForwardingRedirects: false, rejectForwardingRedirects: false,
serverStatusCode: 301, serverStatusCode: 301,
redirect: "/",
expectStatusCode: 301, expectStatusCode: 301,
expectBody: originalBody, expectBody: originalBody,
}, },
@ -746,6 +764,9 @@ func TestRejectForwardingRedirectsOption(t *testing.T) {
t.Run(tc.name, func(t *testing.T) { t.Run(tc.name, func(t *testing.T) {
// Set up a backend server // Set up a backend server
backendServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { backendServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if tc.redirect != "" {
w.Header().Set("Location", tc.redirect)
}
w.WriteHeader(tc.serverStatusCode) w.WriteHeader(tc.serverStatusCode)
w.Write(originalBody) w.Write(originalBody)
})) }))