Skip to content
This repository has been archived by the owner on Apr 17, 2019. It is now read-only.

Make echoheaders nginx container escape &<> to prevent XSS. #2629

Closed
wants to merge 1 commit into from
Closed

Make echoheaders nginx container escape &<> to prevent XSS. #2629

wants to merge 1 commit into from

Conversation

rmmh
Copy link
Contributor

@rmmh rmmh commented Jun 10, 2017

Tested locally by doing make container; docker run --rm -p 8080:8080 gcr.io/google_containers/echoserver:1.4 and then curl 'localhost:8080/xss-<&>'.

Intentionally not bumping the image tag because that would require multiple patches against old branches to pick up the newer version, and this change is relatively small and safe!

@rmmh rmmh assigned mml Jun 10, 2017
@k8s-github-robot
Copy link

[APPROVALNOTIFIER] This PR is NOT APPROVED

The following people have approved this PR: rmmh

Needs approval from an approver in each of these OWNERS Files:

We suggest the following people:
cc @bprashanth
You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Jun 10, 2017
@k8s-reviewable
Copy link

This change is Reviewable

@bprashanth
Copy link

Please add X-XSS-Protection: 1; mode=block to force the browser to render placeholders instead of sanitizing content. If that's not enough, please check if there's a standard markup sanitization library you can use instead of doing it yourself, to offload the burden of proof.

Since this is just a toy container, I'm fine with those going in as follow ups whenever you have time. LGTM.

@bprashanth
Copy link

@aledbf might also have some sage suggestions for the follow up

@bprashanth bprashanth added the lgtm Indicates that a PR is ready to be merged. label Jun 10, 2017
@rmmh
Copy link
Contributor Author

rmmh commented Jun 12, 2017
edited
Loading

Those headers won't help, this is specifically a problem with an overly-sensitive XSS scanner with rules about old IE content sniffing, which doesn't support CSP. The page is served as text/plain, so any modern browser won't be vulnerable to XSS. And XSS against a random IP isn't useful anyways, so...

@bprashanth can you do /approve too?

@rmmh
Copy link
Contributor Author

rmmh commented Jun 13, 2017

Replaced with escape function from a Lua templating engine. It was simpler to inline than to figure out the packaging system for nginx.

@k8s-github-robot
Copy link

/lgtm cancel //PR changed after LGTM, removing LGTM. @aledbf @bprashanth @mml @rmmh

@k8s-github-robot k8s-github-robot removed the lgtm Indicates that a PR is ready to be merged. label Jun 13, 2017
@bprashanth
Copy link

Ah, no i mean apply the headers for the case they would help (i.e typical xss).
/approve

@bprashanth bprashanth added the lgtm Indicates that a PR is ready to be merged. label Jun 14, 2017
@aledbf
Copy link
Contributor

aledbf commented Jun 14, 2017

@rmmh @bprashanth we moved the image to https://github.com/kubernetes/ingress/tree/master/images/echoheaders

@aledbf
Copy link
Contributor

aledbf commented Jun 14, 2017

this is the new output kubernetes/ingress-nginx#785

@aledbf
Copy link
Contributor

aledbf commented Jun 14, 2017

@rmmh can you open the PR in the new repository?

@rmmh
Copy link
Contributor Author

rmmh commented Jun 15, 2017

Ported to kubernetes/ingress-nginx#865

@rmmh rmmh closed this Jun 15, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@rmmh @k8s-github-robot @k8s-reviewable @bprashanth @aledbf @mml @k8s-ci-robot