Merge "Reject invalid whitespace in HM url_path value"

2022-05-05 14:59:07 +00:00 · 2022-05-05 14:59:07 +00:00 · 226a4001aa
parent 331296e754 251fab17b5
commit 226a4001aa
3 changed files with 17 additions and 0 deletions
--- a/octavia/common/validate.py
+++ b/octavia/common/validate.py
@ -55,6 +55,7 @@ def url_path(url_path):
        p_url = rfc3986.urlparse(rfc3986.normalize_uri(url_path))

        invalid_path = (
+            re.search(r"\s", url_path) or
            p_url.scheme or p_url.userinfo or p_url.host or
            p_url.port or
            p_url.path is None or
--- a/octavia/tests/unit/common/test_validate.py
+++ b/octavia/tests/unit/common/test_validate.py
@ -44,6 +44,15 @@ class TestValidations(base.TestCase):
        self.assertRaises(exceptions.InvalidURL, validate.url,
                          'ssh://www.example.com/')

+    def test_validate_url_path(self):
+        self.assertTrue(validate.url_path('/foo'))
+        self.assertTrue(validate.url_path('/foo%0Abar'))
+
+    def test_validate_bad_url_path(self):
+        self.assertRaises(exceptions.InvalidURLPath, validate.url_path, 'foo')
+        self.assertRaises(exceptions.InvalidURLPath, validate.url_path,
+                          '/foo\nbar')
+
    def test_validate_header_name(self):
        ret = validate.header_name('Some-header')
        self.assertTrue(ret)
--- a/releasenotes/notes/validate-url_path-value-in-requests-3eb3adedcd696433.yaml
+++ b/releasenotes/notes/validate-url_path-value-in-requests-3eb3adedcd696433.yaml
@ -0,0 +1,7 @@
+---
+issues:
+  - |
+    Fixed configuration issue which allowed authenticated and authorized
+    users to inject code into HAProxy configuration using API requests.
+    Octavia API no longer accepts unencoded whitespace characters in url_path values
+    in update requests for healthmonitors.