Merge pull request #2344 from aledbf/xss-base-tag

Escape variables in add-base-url annotation
kubernetes · Apr 13, 2018 · 361e53f · 361e53f
2 parents 3fba5c0 + 82b6c33
commit 361e53f
Show file tree

Hide file tree

Showing 2 changed files with 76 additions and 62 deletions.
diff --git a/internal/ingress/controller/template/template.go b/internal/ingress/controller/template/template.go
@@ -418,39 +418,43 @@ func buildProxyPass(host string, b interface{}, loc interface{}, dynamicConfigur
 	}
 
 	if len(location.Rewrite.Target) > 0 {
-		abu := ""
+		var abu string
+		var xForwardedPrefix string
+
 		if location.Rewrite.AddBaseURL {
 			// path has a slash suffix, so that it can be connected with baseuri directly
-			bPath := fmt.Sprintf("%s%s", path, "$baseuri")
+			bPath := fmt.Sprintf("%s$escaped_base_uri", path)
 			regex := `(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)`
+			scheme := "$scheme"
+
 			if len(location.Rewrite.BaseURLScheme) > 0 {
-				abu = fmt.Sprintf(`subs_filter '%v' '$1<base href="%v://$http_host%v">' ro;
-	    `, regex, location.Rewrite.BaseURLScheme, bPath)
-			} else {
-				abu = fmt.Sprintf(`subs_filter '%v' '$1<base href="$scheme://$http_host%v">' ro;
-	    `, regex, bPath)
+				scheme = location.Rewrite.BaseURLScheme
 			}
+
+			abu = fmt.Sprintf(`
+set_escape_uri $escaped_base_uri $baseuri;
+subs_filter '%v' '$1<base href="%v://$http_host%v">' ro;
+`, regex, scheme, bPath)
 		}
 
-		xForwardedPrefix := ""
 		if location.XForwardedPrefix {
-			xForwardedPrefix = fmt.Sprintf(`proxy_set_header X-Forwarded-Prefix "%s";
-	    `, path)
+			xForwardedPrefix = fmt.Sprintf("proxy_set_header X-Forwarded-Prefix \"%s\";\n", path)
 		}
+
 		if location.Rewrite.Target == slash {
 			// special case redirect to /
 			// ie /something to /
 			return fmt.Sprintf(`
-	    rewrite %s(.*) /$1 break;
-	    rewrite %s / break;
-	    %v%v %s://%s;
-	    %v`, path, location.Path, xForwardedPrefix, proxyPass, proto, upstreamName, abu)
+rewrite %s(.*) /$1 break;
+rewrite %s / break;
+%v%v %s://%s;
+%v`, path, location.Path, xForwardedPrefix, proxyPass, proto, upstreamName, abu)
 		}
 
 		return fmt.Sprintf(`
-	    rewrite %s(.*) %s/$1 break;
-	    %v%v %s://%s;
-	    %v`, path, location.Rewrite.Target, xForwardedPrefix, proxyPass, proto, upstreamName, abu)
+rewrite %s(.*) %s/$1 break;
+%v%v %s://%s;
+%v`, path, location.Rewrite.Target, xForwardedPrefix, proxyPass, proto, upstreamName, abu)
 	}
 
 	// default proxy_pass

diff --git a/internal/ingress/controller/template/template_test.go b/internal/ingress/controller/template/template_test.go
@@ -122,9 +122,9 @@ var (
 			"/jenkins",
 			"~* /",
 			`
-	    rewrite /(.*) /jenkins/$1 break;
-	    proxy_pass http://upstream-name;
-	    `,
+rewrite /(.*) /jenkins/$1 break;
+proxy_pass http://upstream-name;
+`,
 			false,
 			"",
 			false,
@@ -136,10 +136,10 @@ var (
 			"/",
 			`~* ^/something\/?(?<baseuri>.*)`,
 			`
-	    rewrite /something/(.*) /$1 break;
-	    rewrite /something / break;
-	    proxy_pass http://upstream-name;
-	    `,
+rewrite /something/(.*) /$1 break;
+rewrite /something / break;
+proxy_pass http://upstream-name;
+`,
 			false,
 			"",
 			false,
@@ -151,9 +151,9 @@ var (
 			"/not-root",
 			"~* ^/end-with-slash/(?<baseuri>.*)",
 			`
-	    rewrite /end-with-slash/(.*) /not-root/$1 break;
-	    proxy_pass http://upstream-name;
-	    `,
+rewrite /end-with-slash/(.*) /not-root/$1 break;
+proxy_pass http://upstream-name;
+`,
 			false,
 			"",
 			false,
@@ -165,9 +165,9 @@ var (
 			"/not-root",
 			`~* ^/something-complex\/?(?<baseuri>.*)`,
 			`
-	    rewrite /something-complex/(.*) /not-root/$1 break;
-	    proxy_pass http://upstream-name;
-	    `,
+rewrite /something-complex/(.*) /not-root/$1 break;
+proxy_pass http://upstream-name;
+`,
 			false,
 			"",
 			false,
@@ -179,10 +179,12 @@ var (
 			"/jenkins",
 			"~* /",
 			`
-	    rewrite /(.*) /jenkins/$1 break;
-	    proxy_pass http://upstream-name;
-	    subs_filter '(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)' '$1<base href="$scheme://$http_host/$baseuri">' ro;
-	    `,
+rewrite /(.*) /jenkins/$1 break;
+proxy_pass http://upstream-name;
+
+set_escape_uri $escaped_base_uri $baseuri;
+subs_filter '(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)' '$1<base href="$scheme://$http_host/$escaped_base_uri">' ro;
+`,
 			true,
 			"",
 			false,
@@ -194,11 +196,13 @@ var (
 			"/",
 			`~* ^/something\/?(?<baseuri>.*)`,
 			`
-	    rewrite /something/(.*) /$1 break;
-	    rewrite /something / break;
-	    proxy_pass http://upstream-name;
-	    subs_filter '(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)' '$1<base href="$scheme://$http_host/something/$baseuri">' ro;
-	    `,
+rewrite /something/(.*) /$1 break;
+rewrite /something / break;
+proxy_pass http://upstream-name;
+
+set_escape_uri $escaped_base_uri $baseuri;
+subs_filter '(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)' '$1<base href="$scheme://$http_host/something/$escaped_base_uri">' ro;
+`,
 			true,
 			"",
 			false,
@@ -210,10 +214,12 @@ var (
 			"/not-root",
 			`~* ^/end-with-slash/(?<baseuri>.*)`,
 			`
-	    rewrite /end-with-slash/(.*) /not-root/$1 break;
-	    proxy_pass http://upstream-name;
-	    subs_filter '(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)' '$1<base href="$scheme://$http_host/end-with-slash/$baseuri">' ro;
-	    `,
+rewrite /end-with-slash/(.*) /not-root/$1 break;
+proxy_pass http://upstream-name;
+
+set_escape_uri $escaped_base_uri $baseuri;
+subs_filter '(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)' '$1<base href="$scheme://$http_host/end-with-slash/$escaped_base_uri">' ro;
+`,
 			true,
 			"",
 			false,
@@ -225,10 +231,12 @@ var (
 			"/not-root",
 			`~* ^/something-complex\/?(?<baseuri>.*)`,
 			`
-	    rewrite /something-complex/(.*) /not-root/$1 break;
-	    proxy_pass http://upstream-name;
-	    subs_filter '(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)' '$1<base href="$scheme://$http_host/something-complex/$baseuri">' ro;
-	    `,
+rewrite /something-complex/(.*) /not-root/$1 break;
+proxy_pass http://upstream-name;
+
+set_escape_uri $escaped_base_uri $baseuri;
+subs_filter '(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)' '$1<base href="$scheme://$http_host/something-complex/$escaped_base_uri">' ro;
+`,
 			true,
 			"",
 			false,
@@ -240,11 +248,13 @@ var (
 			"/",
 			`~* ^/something\/?(?<baseuri>.*)`,
 			`
-	    rewrite /something/(.*) /$1 break;
-	    rewrite /something / break;
-	    proxy_pass http://upstream-name;
-	    subs_filter '(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)' '$1<base href="http://$http_host/something/$baseuri">' ro;
-	    `,
+rewrite /something/(.*) /$1 break;
+rewrite /something / break;
+proxy_pass http://upstream-name;
+
+set_escape_uri $escaped_base_uri $baseuri;
+subs_filter '(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)' '$1<base href="http://$http_host/something/$escaped_base_uri">' ro;
+`,
 			true,
 			"http",
 			false,
@@ -256,9 +266,9 @@ var (
 			"/something",
 			`~* /`,
 			`
-	    rewrite /(.*) /something/$1 break;
-	    proxy_pass http://sticky-upstream-name;
-	    `,
+rewrite /(.*) /something/$1 break;
+proxy_pass http://sticky-upstream-name;
+`,
 			false,
 			"http",
 			true,
@@ -270,9 +280,9 @@ var (
 			"/something",
 			`~* /`,
 			`
-	    rewrite /(.*) /something/$1 break;
-	    proxy_pass http://upstream_balancer;
-	    `,
+rewrite /(.*) /something/$1 break;
+proxy_pass http://upstream_balancer;
+`,
 			false,
 			"http",
 			true,
@@ -284,10 +294,10 @@ var (
 			"/something",
 			`~* ^/there\/?(?<baseuri>.*)`,
 			`
-	    rewrite /there/(.*) /something/$1 break;
-	    proxy_set_header X-Forwarded-Prefix "/there/";
-	    proxy_pass http://sticky-upstream-name;
-	    `,
+rewrite /there/(.*) /something/$1 break;
+proxy_set_header X-Forwarded-Prefix "/there/";
+proxy_pass http://sticky-upstream-name;
+`,
 			false,
 			"http",
 			true,