Add option to sanitize annotation inputs #7874
Conversation
k8s-ci-robot
added
cncf-cla: yes
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: rikatz The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
| @@ -754,6 +762,9 @@ func NewDefault() Configuration { | |||
| defNginxStatusIpv6Whitelist := make([]string, 0) | |||
| defResponseHeaders := make([]string, 0) | |||
|
|
|||
| defAnnotationValueWordBlocklist := []string{"load_module", "lua_package", "_by_lua", "location", "root"} | |||
There was a problem hiding this comment.
should we add others like token etc?
There was a problem hiding this comment.
you are fast uh! haha! Yeah, this list should be updated I guess. I tried to add the dangerous ones!
There was a problem hiding this comment.
So what list do you think it's good to have here? When you say token, you say like the whole "/var/run/..." for the serviceaccount?
There was a problem hiding this comment.
I would also add probably proxy_pass directives, so someone cannot bypass the internal balancer for the evil :D
| } | ||
| firstIngress := framework.NewSingleIngress("first-ingress", "/", host, f.Namespace, framework.EchoService, 80, annotations) | ||
| _, err := f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Create(context.TODO(), firstIngress, metav1.CreateOptions{}) | ||
| assert.NotNil(ginkgo.GinkgoT(), err, "creating an ingress with invalid annotation value should return an error") |
There was a problem hiding this comment.
Does it make sense to check if the correct err (message) is thrown?
There was a problem hiding this comment.
hum, I think we can do that yes. I would leave this anyway as a followup for some issue (feel free to open it!) to improve e2e tests in a sense that we not only verify if the error is not nil, but if error is what we expect (in all tests).
This can become a good first issue, wdyt?
There was a problem hiding this comment.
Good Idea, I will open one :)
|
Just saw one comment that might be related to this PR: kubernetes/kubernetes#126811. Just in case you missed it @rikatz |
| if parser.AnnotationsPrefix != parser.DefaultAnnotationsPrefix { | ||
| if strings.HasPrefix(key, fmt.Sprintf("%s/", parser.DefaultAnnotationsPrefix)) { | ||
| return fmt.Errorf("This deployment has a custom annotation prefix defined. Use '%s' instead of '%s'", parser.AnnotationsPrefix, parser.DefaultAnnotationsPrefix) | ||
| } | ||
| } | ||
| if strings.HasPrefix(key, fmt.Sprintf("%s/", parser.AnnotationsPrefix)) { | ||
| for _, forbiddenvalue := range arraybadWords { | ||
| if strings.Contains(value, forbiddenvalue) { |
There was a problem hiding this comment.
My only thought is if we need to run strings.TrimSpace every element as well, I’m afraid Contains may fail otherwise.
There was a problem hiding this comment.
can you give me one example? not following here (rainy day, a bit sleepy... :) )
There was a problem hiding this comment.
Here’s what I mean:
https://play.golang.org/p/mqWmLjoz63N
There was a problem hiding this comment.
@theunrealgeek GOOD CATCH!!! Thanks! I will quickly fix this and also add some regression / e2e test before releasing!
There was a problem hiding this comment.
But now I see that I do trimming a bit upper:
arraybadWords := strings.Split(strings.TrimSpace(cfg.AnnotationValueWordBlocklist), ",")
Don't this solve the problem?
There was a problem hiding this comment.
arraybadWords := strings.Split(strings.TrimSpace(cfg.AnnotationValueWordBlocklist), ",")
will only trim space at the beginning and end of the annotation value, but not in between elements that may exist around the commas which is what my example in the Go playground is pointing out.
In the default value this won’t be a problem since you are coming the CSV with a Join on the list, but for user overridden ones it will be hard to enforce that they don’t put spaces between the commas to make things more readable.
There was a problem hiding this comment.
ok, I see :) I was in my head thinking that trimSpace works for all the array, not only beginning and ending and you are right :)
Weirdly, when adding this to unit_test it passes as well, will have to check it better.
There was a problem hiding this comment.
Anyway, PTAL here: #7921
| t: t, | ||
| err: nil, | ||
| } | ||
| ing.ObjectMeta.Annotations["nginx.ingress.kubernetes.io/custom-headers"] = "invalid_directive" |
There was a problem hiding this comment.
With context of my previous comment, checking for another_directive would also perhaps be useful.
There was a problem hiding this comment.
https://github.com/kubernetes/ingress-nginx/pull/7921/files
Added here just to make sure it's working fine :)
| @@ -754,6 +760,20 @@ func NewDefault() Configuration { | |||
| defNginxStatusIpv6Whitelist := make([]string, 0) | |||
| defResponseHeaders := make([]string, 0) | |||
|
|
|||
| defAnnotationValueWordBlocklist := []string{ | |||
There was a problem hiding this comment.
Do we allow users to override the default value? Or should it be appended?
There was a problem hiding this comment.
They can override. Appending IMO is bad, as the idea of overriding is actually removing something that may be problematic for them (like, if you use mod_security directives you want to remove {} from the list)
|
/kind feature |
k8s-ci-robot
added
kind/feature
rikatz
added
the
lgtm
* Add option to sanitize annotation inputs * Fix e2e tests after string sanitization * Add proxy_pass and serviceaccount as denied values
* fix: fix thread synchronization issue #6245 (#7800) * Add option to sanitize annotation inputs (#7874) * Add option to sanitize annotation inputs * Fix e2e tests after string sanitization * Add proxy_pass and serviceaccount as denied values * Trim spaces from badword items (#7921) * Fix tests from cherrypick Co-authored-by: Jens Reimann <ctron@dentrassi.de>
* Add option to sanitize annotation inputs * Fix e2e tests after string sanitization * Add proxy_pass and serviceaccount as denied values
This PR adds two new items in ConfigMap:
Based on this, Ingress will drop objects that contians annotations with those words or chars. I'm still thinking about dropping the chars and keeping only the word validation (as chars are just words with 1 character...)
TODO: