mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-08-05 02:09:56 +00:00
limit User-Agent max length 1024 and add ...TRUNCATED suffix
This commit is contained in:
xuzhonghu
parent
a8b0ccc70c
commit
f0b1f1c2f6
@ -37,16 +37,20 @@ import (
|
|||||||
"k8s.io/apiserver/pkg/authorization/authorizer"
|
"k8s.io/apiserver/pkg/authorization/authorizer"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
const (
|
||||||
|
maxUserAgentLength = 1024
|
||||||
|
userAgentTruncateSuffix = "...TRUNCATED"
|
||||||
|
)
|
||||||
|
|
||||||
func NewEventFromRequest(req *http.Request, level auditinternal.Level, attribs authorizer.Attributes) (*auditinternal.Event, error) {
|
func NewEventFromRequest(req *http.Request, level auditinternal.Level, attribs authorizer.Attributes) (*auditinternal.Event, error) {
|
||||||
ev := &auditinternal.Event{
|
ev := &auditinternal.Event{
|
||||||
RequestReceivedTimestamp: metav1.NewMicroTime(time.Now()),
|
RequestReceivedTimestamp: metav1.NewMicroTime(time.Now()),
|
||||||
Verb: attribs.GetVerb(),
|
Verb: attribs.GetVerb(),
|
||||||
RequestURI: req.URL.RequestURI(),
|
RequestURI: req.URL.RequestURI(),
|
||||||
UserAgent: req.UserAgent(),
|
UserAgent: maybeTruncateUserAgent(req),
|
||||||
|
Level: level,
|
||||||
}
|
}
|
||||||
|
|
||||||
ev.Level = level
|
|
||||||
|
|
||||||
// prefer the id from the headers. If not available, create a new one.
|
// prefer the id from the headers. If not available, create a new one.
|
||||||
// TODO(audit): do we want to forbid the header for non-front-proxy users?
|
// TODO(audit): do we want to forbid the header for non-front-proxy users?
|
||||||
ids := req.Header.Get(auditinternal.HeaderAuditID)
|
ids := req.Header.Get(auditinternal.HeaderAuditID)
|
||||||
@ -234,3 +238,13 @@ func LogAnnotations(ae *auditinternal.Event, annotations map[string]string) {
|
|||||||
LogAnnotation(ae, key, value)
|
LogAnnotation(ae, key, value)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// truncate User-Agent if too long, otherwise return it directly.
|
||||||
|
func maybeTruncateUserAgent(req *http.Request) string {
|
||||||
|
ua := req.UserAgent()
|
||||||
|
if len(ua) > maxUserAgentLength {
|
||||||
|
ua = ua[:maxUserAgentLength] + userAgentTruncateSuffix
|
||||||
|
}
|
||||||
|
|
||||||
|
return ua
|
||||||
|
}
|
||||||
|
|||||||
@ -17,9 +17,11 @@ limitations under the License.
|
|||||||
package audit
|
package audit
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"net/http"
|
||||||
"testing"
|
"testing"
|
||||||
|
|
||||||
"github.com/stretchr/testify/assert"
|
"github.com/stretchr/testify/assert"
|
||||||
|
|
||||||
auditinternal "k8s.io/apiserver/pkg/apis/audit"
|
auditinternal "k8s.io/apiserver/pkg/apis/audit"
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -36,3 +38,19 @@ func TestLogAnnotation(t *testing.T) {
|
|||||||
LogAnnotation(ev, "qux", "baz")
|
LogAnnotation(ev, "qux", "baz")
|
||||||
assert.Equal(t, "", ev.Annotations["qux"], "audit annotation should not be overwritten.")
|
assert.Equal(t, "", ev.Annotations["qux"], "audit annotation should not be overwritten.")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestMaybeTruncateUserAgent(t *testing.T) {
|
||||||
|
req := &http.Request{}
|
||||||
|
req.Header = http.Header{}
|
||||||
|
|
||||||
|
ua := "short-agent"
|
||||||
|
req.Header.Set("User-Agent", ua)
|
||||||
|
assert.Equal(t, ua, maybeTruncateUserAgent(req))
|
||||||
|
|
||||||
|
ua = ""
|
||||||
|
for i := 0; i < maxUserAgentLength*2; i++ {
|
||||||
|
ua = ua + "a"
|
||||||
|
}
|
||||||
|
req.Header.Set("User-Agent", ua)
|
||||||
|
assert.NotEqual(t, ua, maybeTruncateUserAgent(req))
|
||||||
|
}
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user