fix path cleaning of proxied urls#22671
Conversation
sanikachavan5
added
backport/all
| // handler, can't backtrack far enough to eat into the BaseURL either. But we | ||
| // leave this in anyway in case something changes in the future. | ||
| if !strings.HasPrefix(u.String(), cfg.BaseURL) { | ||
|
|
There was a problem hiding this comment.
can we add UT for this
.changelog/22671.txt
Outdated
There was a problem hiding this comment.
Nit : security: Fixed proxied URL path validation to prevent path traversal.
dduzgun-security
left a comment
dduzgun-security
left a comment
There was a problem hiding this comment.
Thanks a lot for working on this, I've added few comments on the PR to review
sanikachavan5
force-pushed
the
sanikachavan5/SECVULN-25362-fix-path-cleaning-of-proxied-urls
branch
from
341333c to
0753e55
Compare
dduzgun-security
left a comment
dduzgun-security
left a comment
There was a problem hiding this comment.
LGTM, thanks for addressing the comments.
hc-github-team-consul-core
added
the
backport/1.21
* fix path cleaning of proxied urls * add changelog * added more tests * add tests and address review comments * address review changes
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.18,1.19,1.20,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
7 similar comments
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.18,1.19,1.20,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.18,1.19,1.20,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.18,1.19,1.20,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.18,1.19,1.20,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.18,1.19,1.20,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.18,1.19,1.20,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.18,1.19,1.20,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.19] please perform the backport manually and add the following snippet to your backport PR description: |
4 similar comments
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.19] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.19] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.19] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.19] please perform the backport manually and add the following snippet to your backport PR description: |
* add timeouts to prevent slowloris attacks * rename * fix tests * fix test * fix failing test * add docs and tests * lint issues * Added support for IPv6 virtual IP offset calculation and validation. (#22741) * - Added support for IPv6 virtual IP offset calculation and validation. - Upgraded `github.com/miekg/dns` dependency to v1.1.68. - Included `BindAddr` in agent endpoint and enabled binding logic in IP offset calculations. - Updated `go.mod` and `go.sum` to reflect dependency changes. * Refactored `addIPOffset` to utilize `BindAddr` and introduced `getAgentBindAddr` for improved binding logic and IP offset calculation. Added utility function isDualStack * Executed go mod tidy * Refactored network utilities into `netutil` package and updated `catalog.go` to use new functions for improved modularity and clarity. Removed duplicate implementations of `GetAgentConfig` and `isDualStack`. * Added comprehensive unit tests for `netutil` package covering `GetAgentConfig`, `GetAgentBindAddr`, and `IsDualStack`. Refactored functions to support mocking for improved testability. * only retaining utility function changes. * added changelog * Latest Envoy version update - default v1.34.7 (#22735) * docs: Additional entries for versioned redirects (#22694) * "Get started" section redirects * deploy & secure * Consul operations complete * register & discover * Finish service networking * Enterprise, Runtimes, and Plugins sections * Reference docs * added BinAddr field in agent/self API response (#22761) * PKCE and Adding private key JWT support for OIDC (#22732) * Adding private key JWT support for OIDC * Submodules Version upgrade (#22776) * [CSL-11760] [Envoy Bootstrap] Defaults to IPv6 for admin-bind and grpc-addr in dual stack if its empty (#22763) * add: func to check dual-stack configuration * add: testcases for dual-stack of admin-bind and grpc adrr * envoy: admin-bind and grpc-addr dual-stack defaults to ipv6 * fix(review comment): creates a constant for loopback address * add: debug log to verify recieved isDualStack value * add: changelog file added * update: changelog file * fix: correct format specifier * fix(review): make constant for default envoy admin port * Update .changelog/22763.txt Co-authored-by: Sreeram Narayanan <sreeram.narayanan@hashicorp.com> * fix: TestAgent_Monitor flaky test --------- Co-authored-by: Sreeram Narayanan <sreeram.narayanan@hashicorp.com> * update: default upstream.local_bind_address to ::1 for IPv6 agent bind address (#22773) * update: default upstream.local_bind_address to ::1 for IPv6 agent bind addr * add: changelog --------- Co-authored-by: Mukul Anand <mukul.anand@hashicorp.com> * update: set proxy.local_service_address to ::1 for IPv6 agent bind addr (#22772) * update: set proxy.local_service_address to ::1 for IPv6 agent bind addr * add: changelog --------- Co-authored-by: Mukul Anand <mukul.anand@hashicorp.com> * update: default proxy BindAddress to :: for IPv6 agent bind addr (#22774) * update: default proxy BindAddress to :: for IPv6 agent bind addr * add: changelog * fixing conflicts --------- Co-authored-by: Mukul Anand <mukul.anand@hashicorp.com> * Consul ENT default version change #22783 (#22784) * [Bugfix]: suppress lacks token permission while checking dual stack (#22788) fix: suppress lacks token permission while checking dual stack * updated redhat image to latest (#22794) * Suppress CVEs (#22801) * redhat version revert (#22806) redhat image version revert to 9.6 * Suppress CVE-2025-6395 (#22808) * fix path cleaning of proxied urls (#22671) * fix path cleaning of proxied urls * add changelog * added more tests * add tests and address review comments * address review changes * remove usage of dynamic GitHub actions variable (#22725) use hardcoded names for preventing attacks * Multi Port Service Discovery (#22769) 1. Support for registering a service with multiple named ports 2. The named ports can be used in DNS queries to discover ports based on usecase * add timeouts to prevent slowloris attacks * Delete .changelog/22625.txt * doc changes * run codegen * simplify error handling * test: add long-running profile and trace tests for pprof handlers * changelog: update security note to clarify HTTP server timeout configurations against Slowloris attacks test: remove short test skip for HTTP server timeout tests --------- Co-authored-by: nitin-sachdev-29 <nitin.sachdev@hashicorp.com> Co-authored-by: LakshmiNarayananDesikan <lakshminarayanan.desikan@hashicorp.com> Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com> Co-authored-by: mansi991999 <mansi.panchal@hashicorp.com> Co-authored-by: anilvpatel <anilkumarvinodbhai.patel@hashicorp.com> Co-authored-by: Sreeram Narayanan <sreeram.narayanan@hashicorp.com> Co-authored-by: Mukul Anand <mukul.anand@hashicorp.com> Co-authored-by: Manisha Kumari <manisha.kumari@hashicorp.com> Co-authored-by: Sriram R <sriramr083@gmail.com>
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.19] please perform the backport manually and add the following snippet to your backport PR description: |
23 similar comments
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.19] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.19] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.19] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.19] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.19] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.19] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.19] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.19] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.19] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.19] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.19] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.19] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.19] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.19] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.19] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.19] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.19] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.19] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.19] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.19] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.19] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.19] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.19] please perform the backport manually and add the following snippet to your backport PR description: |
5 participants
Description
This pull request addresses a security issue in the
UIMetricsProxyhandler by improving how proxied URL paths are cleaned and validated to prevent path traversal attacks. The main focus is on ensuring that user-supplied paths cannot escape the intended base URL, even in edge cases.Security improvements to URL path handling:
path.Cleanwith a leading slash to ensure that any../segments are properly removed, preventing path traversal attacks. (agent/ui_endpoint.go)agent/ui_endpoint.go)Base URL validation enhancements:
agent/ui_endpoint.go)Testing & Reproduction steps
Links
PR Checklist
PCI review checklist
I have documented a clear reason for, and description of, the change I am making.
If applicable, I've documented a plan to revert these changes if they require more than reverting the pull request.
If applicable, I've documented the impact of any changes to security controls.
Examples of changes to security controls include using new access control methods, adding or removing logging pipelines, etc.