From 3ed9768a5134697a3e0f9c3643ed0be5ebaf4bcc Mon Sep 17 00:00:00 2001 From: Michal Rostecki Date: Mon, 11 Jul 2016 10:16:09 +0200 Subject: [PATCH] Make "attach" and "exec" rejection in proxy more explicit The more explicit regular expression for rejection makes a possibility of accessing pods (or any other resources) which contain "attach" or "exec" in their names via proxy API. It was not possible before. Also, the reference for "run" resource was removed, because it doesn't exist in any of k8s APIs currently. Fixes: #21464 --- pkg/kubectl/proxy_server.go | 2 +- pkg/kubectl/proxy_server_test.go | 35 ++++++++++++++++++++++++++++---- 2 files changed, 32 insertions(+), 5 deletions(-) diff --git a/pkg/kubectl/proxy_server.go b/pkg/kubectl/proxy_server.go index 733a3f90f30..6f2108e04c1 100644 --- a/pkg/kubectl/proxy_server.go +++ b/pkg/kubectl/proxy_server.go @@ -35,7 +35,7 @@ import ( const ( DefaultHostAcceptRE = "^localhost$,^127\\.0\\.0\\.1$,^\\[::1\\]$" DefaultPathAcceptRE = "^/.*" - DefaultPathRejectRE = "^/api/.*/exec,^/api/.*/run,^/api/.*/attach" + DefaultPathRejectRE = "^/api/.*/pods/.*/exec,^/api/.*/pods/.*/attach" DefaultMethodRejectRE = "POST,PUT,PATCH" ) diff --git a/pkg/kubectl/proxy_server_test.go b/pkg/kubectl/proxy_server_test.go index 18b5118127f..ae536b91a8c 100644 --- a/pkg/kubectl/proxy_server_test.go +++ b/pkg/kubectl/proxy_server_test.go @@ -62,7 +62,34 @@ func TestAccept(t *testing.T) { acceptPaths: DefaultPathAcceptRE, rejectPaths: DefaultPathRejectRE, acceptHosts: DefaultHostAcceptRE, - path: "/api/v1/pods/foo/exec", + path: "/api/v1/namespaces/default/pods/foo", + host: "localhost", + method: "GET", + expectAccept: true, + }, + { + acceptPaths: DefaultPathAcceptRE, + rejectPaths: DefaultPathRejectRE, + acceptHosts: DefaultHostAcceptRE, + path: "/api/v1/namespaces/default/pods/attachfoo", + host: "localhost", + method: "GET", + expectAccept: true, + }, + { + acceptPaths: DefaultPathAcceptRE, + rejectPaths: DefaultPathRejectRE, + acceptHosts: DefaultHostAcceptRE, + path: "/api/v1/namespaces/default/pods/execfoo", + host: "localhost", + method: "GET", + expectAccept: true, + }, + { + acceptPaths: DefaultPathAcceptRE, + rejectPaths: DefaultPathRejectRE, + acceptHosts: DefaultHostAcceptRE, + path: "/api/v1/namespaces/default/pods/foo/exec", host: "127.0.0.1", method: "GET", expectAccept: false, @@ -71,7 +98,7 @@ func TestAccept(t *testing.T) { acceptPaths: DefaultPathAcceptRE, rejectPaths: DefaultPathRejectRE, acceptHosts: DefaultHostAcceptRE, - path: "/api/v1/pods/foo/attach", + path: "/api/v1/namespaces/default/pods/foo/attach", host: "127.0.0.1", method: "GET", expectAccept: false, @@ -125,7 +152,7 @@ func TestAccept(t *testing.T) { acceptPaths: DefaultPathAcceptRE, rejectPaths: DefaultPathRejectRE, acceptHosts: DefaultHostAcceptRE, - path: "/api/v1/pods/somepod", + path: "/api/v1/namespaces/default/pods/somepod", host: "localhost", method: "PUT", expectAccept: false, @@ -134,7 +161,7 @@ func TestAccept(t *testing.T) { acceptPaths: DefaultPathAcceptRE, rejectPaths: DefaultPathRejectRE, acceptHosts: DefaultHostAcceptRE, - path: "/api/v1/pods/somepod", + path: "/api/v1/namespaces/default/pods/somepod", host: "localhost", method: "PATCH", expectAccept: false,