Reject invalid whitespace in HM url_path value

Plain whitespace characters in url_path must be rejected because
they may allow authorized users to inject arbitrary HAProxy
directives in the configuration of amphorae.

Story: 2008994
Task: 42656
Change-Id: I0f4c59a2928f2a813171109aaf73a1d7dff9eefe
(cherry picked from commit 251fab17b5)
This commit is contained in:
Tom Weininger 2022-03-22 10:02:24 +01:00
parent c6da46ea8d
commit 9afb3af6bb
3 changed files with 17 additions and 0 deletions

View File

@ -55,6 +55,7 @@ def url_path(url_path):
p_url = rfc3986.urlparse(rfc3986.normalize_uri(url_path))
invalid_path = (
re.search(r"\s", url_path) or
p_url.scheme or p_url.userinfo or p_url.host or
p_url.port or
p_url.path is None or

View File

@ -44,6 +44,15 @@ class TestValidations(base.TestCase):
self.assertRaises(exceptions.InvalidURL, validate.url,
'ssh://www.example.com/')
def test_validate_url_path(self):
self.assertTrue(validate.url_path('/foo'))
self.assertTrue(validate.url_path('/foo%0Abar'))
def test_validate_bad_url_path(self):
self.assertRaises(exceptions.InvalidURLPath, validate.url_path, 'foo')
self.assertRaises(exceptions.InvalidURLPath, validate.url_path,
'/foo\nbar')
def test_validate_header_name(self):
ret = validate.header_name('Some-header')
self.assertTrue(ret)

View File

@ -0,0 +1,7 @@
---
issues:
- |
Fixed configuration issue which allowed authenticated and authorized
users to inject code into HAProxy configuration using API requests.
Octavia API no longer accepts unencoded whitespace characters in url_path values
in update requests for healthmonitors.