Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(router) use normalized request URI when matching against incoming user requests #6821

Merged
merged 2 commits into from
Feb 9, 2021
Merged

fix(router) use normalized request URI when matching against incoming user requests #6821

merged 2 commits into from
Feb 9, 2021

Conversation

dndx
Copy link
Member

@dndx dndx commented Feb 9, 2021

No description provided.

@dndx dndx added this to the 2.3.2 milestone Feb 9, 2021
@dndx dndx requested a review from bungle February 9, 2021 16:46
dndx added 2 commits February 9, 2021 09:03
@dndx
fix(router) use normalized request URI when matching against incoming
3ab34bd 
user requests

Previously Kong's Router have been matching against raw user request
URI, that is, URI without being normalized.

In this commit we change the behavior of Kong Router to always match
against normalized URIs from user. Since Kong Router plays an
important role in generating the URI when proxying to the upstream, it
means that upstream will always see request URIs after normalization as
well.

Note that we can not use the `ngx.var.uri` variable directly in
normalizing the request URI, because it decodes reserved characters as
defined by RFC 3986, which is prohibited by the RFC.
@dndx
fix(runloop) re-encode special characters before sending to upstream
3440eaa 
By default, Nginx's proxy module will escape special characters inside
the upstream request path when generating the request, however, this
behavior is lacking if the request path is overwritten with a variable
at the end of the `proxy_pass` directive (which is what Kong does).

This PR restores that behavior so that the request Kong generates to the
upstream will still follow the HTTP RFC after the router normalization.
@dndx dndx force-pushed the fix/router_normalization branch from deca492 to 3440eaa Compare February 9, 2021 17:04
@gszr gszr merged commit faa4b6d into master Feb 9, 2021
@gszr gszr deleted the fix/router_normalization branch February 9, 2021 17:59
@bungle bungle mentioned this pull request Feb 22, 2021
Closed
@DG-Wangtao DG-Wangtao mentioned this pull request Feb 24, 2021
Closed
bungle added a commit that referenced this pull request Feb 25, 2021
@bungle
fix(router) sanitize path postfix
858d873 
### Summary

The PR #6821 by @dndx implemented path normalization, but there is another case with path stripping where
the uri postfix is not sanitized correctly for a better security. This commit fixes that.
@bungle bungle mentioned this pull request Feb 25, 2021
Merged
bungle added a commit that referenced this pull request Mar 2, 2021
@bungle
fix(router) sanitize path postfix (#6868)
e97fef0 
### Summary

The PR #6821 by @dndx implemented path normalization, but there is another case with path stripping where
the uri postfix is not sanitized correctly for a better security. This commit fixes that.
This was referenced Mar 10, 2021
Closed
Closed
@ctessier
Copy link

Hi @dndx

I am trying to figure out whether my stack (which uses Kong 2.0.5) is vulnerable to this security issue.
Do you have more information about what use cases this feature fixes?

Thank you

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bungle bungle bungle approved these changes

@kikito kikito kikito approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
2.3.2
Development

Successfully merging this pull request may close these issues.
5 participants
@dndx @ctessier @kikito @bungle @gszr