From 9afb3af6bb44cff6b0b0d92ed8b87c910cab4092 Mon Sep 17 00:00:00 2001 From: Tom Weininger Date: Tue, 22 Mar 2022 10:02:24 +0100 Subject: [PATCH] Reject invalid whitespace in HM url_path value Plain whitespace characters in url_path must be rejected because they may allow authorized users to inject arbitrary HAProxy directives in the configuration of amphorae. Story: 2008994 Task: 42656 Change-Id: I0f4c59a2928f2a813171109aaf73a1d7dff9eefe (cherry picked from commit 251fab17b51f99f1f0c1cce4985693993d8fb957) --- octavia/common/validate.py | 1 + octavia/tests/unit/common/test_validate.py | 9 +++++++++ ...date-url_path-value-in-requests-3eb3adedcd696433.yaml | 7 +++++++ 3 files changed, 17 insertions(+) create mode 100644 releasenotes/notes/validate-url_path-value-in-requests-3eb3adedcd696433.yaml diff --git a/octavia/common/validate.py b/octavia/common/validate.py index c6fef1c257..b51eb98909 100644 --- a/octavia/common/validate.py +++ b/octavia/common/validate.py @@ -55,6 +55,7 @@ def url_path(url_path): p_url = rfc3986.urlparse(rfc3986.normalize_uri(url_path)) invalid_path = ( + re.search(r"\s", url_path) or p_url.scheme or p_url.userinfo or p_url.host or p_url.port or p_url.path is None or diff --git a/octavia/tests/unit/common/test_validate.py b/octavia/tests/unit/common/test_validate.py index a40191e74d..1a1261115d 100644 --- a/octavia/tests/unit/common/test_validate.py +++ b/octavia/tests/unit/common/test_validate.py @@ -44,6 +44,15 @@ class TestValidations(base.TestCase): self.assertRaises(exceptions.InvalidURL, validate.url, 'ssh://www.example.com/') + def test_validate_url_path(self): + self.assertTrue(validate.url_path('/foo')) + self.assertTrue(validate.url_path('/foo%0Abar')) + + def test_validate_bad_url_path(self): + self.assertRaises(exceptions.InvalidURLPath, validate.url_path, 'foo') + self.assertRaises(exceptions.InvalidURLPath, validate.url_path, + '/foo\nbar') + def test_validate_header_name(self): ret = validate.header_name('Some-header') self.assertTrue(ret) diff --git a/releasenotes/notes/validate-url_path-value-in-requests-3eb3adedcd696433.yaml b/releasenotes/notes/validate-url_path-value-in-requests-3eb3adedcd696433.yaml new file mode 100644 index 0000000000..8d010bfddb --- /dev/null +++ b/releasenotes/notes/validate-url_path-value-in-requests-3eb3adedcd696433.yaml @@ -0,0 +1,7 @@ +--- +issues: + - | + Fixed configuration issue which allowed authenticated and authorized + users to inject code into HAProxy configuration using API requests. + Octavia API no longer accepts unencoded whitespace characters in url_path values + in update requests for healthmonitors.