From 6b368c5031f1ef53189a5e91e247abc5f8c55e86 Mon Sep 17 00:00:00 2001 From: Damien Grisonnet Date: Thu, 18 Nov 2021 11:40:42 +0100 Subject: [PATCH] apimachinery/pkg/util/proxy: escape forwarded URI Escape the forwarded URI set in the round-tripper to prevent any kind of malicious injection into the "X-Forwarded-Uri" header. Signed-off-by: Damien Grisonnet --- .../src/k8s.io/apimachinery/pkg/util/proxy/transport.go | 2 +- .../k8s.io/apimachinery/pkg/util/proxy/transport_test.go | 8 ++++++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/staging/src/k8s.io/apimachinery/pkg/util/proxy/transport.go b/staging/src/k8s.io/apimachinery/pkg/util/proxy/transport.go index 28c654676ee..e2af6d7413e 100644 --- a/staging/src/k8s.io/apimachinery/pkg/util/proxy/transport.go +++ b/staging/src/k8s.io/apimachinery/pkg/util/proxy/transport.go @@ -83,7 +83,7 @@ type Transport struct { // RoundTrip implements the http.RoundTripper interface func (t *Transport) RoundTrip(req *http.Request) (*http.Response, error) { // Add reverse proxy headers. - forwardedURI := path.Join(t.PathPrepend, req.URL.Path) + forwardedURI := path.Join(t.PathPrepend, req.URL.EscapedPath()) if strings.HasSuffix(req.URL.Path, "/") { forwardedURI = forwardedURI + "/" } diff --git a/staging/src/k8s.io/apimachinery/pkg/util/proxy/transport_test.go b/staging/src/k8s.io/apimachinery/pkg/util/proxy/transport_test.go index 90816ffa524..74511eb36fd 100644 --- a/staging/src/k8s.io/apimachinery/pkg/util/proxy/transport_test.go +++ b/staging/src/k8s.io/apimachinery/pkg/util/proxy/transport_test.go @@ -197,6 +197,14 @@ func TestProxyTransport(t *testing.T) { contentType: "text/html", forwardedURI: "/proxy/node/node1:10250/logs/log.log", }, + "forwarded URI must be escaped": { + input: "", + sourceURL: "http://mynode.com/logs/log.log%00", + transport: testTransport, + output: "", + contentType: "text/html", + forwardedURI: "/proxy/node/node1:10250/logs/log.log%00%3Cscript%3Ealert%281%29%3C/script%3E", + }, } testItem := func(name string, item *Item) {