Validate L7Rule value and cookie name
Adds validations in L7 rule and session cookie APIs in order to prevent authenticated and authorized users to inject code into HAProxy configuration. CR and LF (\r and \n) are no longer allowed in L7 rule keys and values. The session persistence cookie names must follow the rules described in https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie. Story: 2008994 Task: 44859 Change-Id: Ic370e9edc3fb5548e9cf0d66b85df66e01c41e79 (cherry picked from commit3cf866dbc0
) (cherry picked from commit133ec4763d
)
This commit is contained in:
parent
d668e1f205
commit
c30aa9df22
@ -69,8 +69,11 @@ class L7RulePOST(BaseL7Type):
|
|||||||
compare_type = wtypes.wsattr(
|
compare_type = wtypes.wsattr(
|
||||||
wtypes.Enum(str, *constants.SUPPORTED_L7RULE_COMPARE_TYPES),
|
wtypes.Enum(str, *constants.SUPPORTED_L7RULE_COMPARE_TYPES),
|
||||||
mandatory=True)
|
mandatory=True)
|
||||||
key = wtypes.wsattr(wtypes.StringType(max_length=255))
|
key = wtypes.wsattr(wtypes.StringType(max_length=255,
|
||||||
value = wtypes.wsattr(wtypes.StringType(max_length=255), mandatory=True)
|
pattern=r'^[^\r\n]*$'))
|
||||||
|
value = wtypes.wsattr(wtypes.StringType(max_length=255,
|
||||||
|
pattern=r'^[^\r\n]*$'),
|
||||||
|
mandatory=True)
|
||||||
invert = wtypes.wsattr(bool, default=False)
|
invert = wtypes.wsattr(bool, default=False)
|
||||||
admin_state_up = wtypes.wsattr(bool, default=True)
|
admin_state_up = wtypes.wsattr(bool, default=True)
|
||||||
# TODO(johnsom) Remove after deprecation (R series)
|
# TODO(johnsom) Remove after deprecation (R series)
|
||||||
@ -90,8 +93,10 @@ class L7RulePUT(BaseL7Type):
|
|||||||
compare_type = wtypes.wsattr(
|
compare_type = wtypes.wsattr(
|
||||||
wtypes.Enum(str,
|
wtypes.Enum(str,
|
||||||
*constants.SUPPORTED_L7RULE_COMPARE_TYPES))
|
*constants.SUPPORTED_L7RULE_COMPARE_TYPES))
|
||||||
key = wtypes.wsattr(wtypes.StringType(max_length=255))
|
key = wtypes.wsattr(wtypes.StringType(max_length=255,
|
||||||
value = wtypes.wsattr(wtypes.StringType(max_length=255))
|
pattern=r'^[^\r\n]*$'))
|
||||||
|
value = wtypes.wsattr(wtypes.StringType(max_length=255,
|
||||||
|
pattern=r'^[^\r\n]*$'))
|
||||||
invert = wtypes.wsattr(bool)
|
invert = wtypes.wsattr(bool)
|
||||||
admin_state_up = wtypes.wsattr(bool)
|
admin_state_up = wtypes.wsattr(bool)
|
||||||
tags = wtypes.wsattr(wtypes.ArrayType(wtypes.StringType(max_length=255)))
|
tags = wtypes.wsattr(wtypes.ArrayType(wtypes.StringType(max_length=255)))
|
||||||
|
@ -33,8 +33,11 @@ class SessionPersistencePOST(types.BaseType):
|
|||||||
"""Defines mandatory and optional attributes of a POST request."""
|
"""Defines mandatory and optional attributes of a POST request."""
|
||||||
type = wtypes.wsattr(wtypes.Enum(str, *constants.SUPPORTED_SP_TYPES),
|
type = wtypes.wsattr(wtypes.Enum(str, *constants.SUPPORTED_SP_TYPES),
|
||||||
mandatory=True)
|
mandatory=True)
|
||||||
cookie_name = wtypes.wsattr(wtypes.StringType(max_length=255),
|
# pattern of invalid characters is based on
|
||||||
default=None)
|
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie
|
||||||
|
cookie_name = wtypes.wsattr(wtypes.StringType(
|
||||||
|
max_length=255, pattern=r'^[^\s,;\\]+$'),
|
||||||
|
default=None)
|
||||||
persistence_timeout = wtypes.wsattr(wtypes.IntegerType(), default=None)
|
persistence_timeout = wtypes.wsattr(wtypes.IntegerType(), default=None)
|
||||||
persistence_granularity = wtypes.wsattr(types.IPAddressType(),
|
persistence_granularity = wtypes.wsattr(types.IPAddressType(),
|
||||||
default=None)
|
default=None)
|
||||||
@ -43,8 +46,11 @@ class SessionPersistencePOST(types.BaseType):
|
|||||||
class SessionPersistencePUT(types.BaseType):
|
class SessionPersistencePUT(types.BaseType):
|
||||||
"""Defines attributes that are acceptable of a PUT request."""
|
"""Defines attributes that are acceptable of a PUT request."""
|
||||||
type = wtypes.wsattr(wtypes.Enum(str, *constants.SUPPORTED_SP_TYPES))
|
type = wtypes.wsattr(wtypes.Enum(str, *constants.SUPPORTED_SP_TYPES))
|
||||||
cookie_name = wtypes.wsattr(wtypes.StringType(max_length=255),
|
# pattern of invalid characters is based on
|
||||||
default=None)
|
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie
|
||||||
|
cookie_name = wtypes.wsattr(wtypes.StringType(
|
||||||
|
max_length=255, pattern=r'^[^\s,;\\]+$'),
|
||||||
|
default=None)
|
||||||
persistence_timeout = wtypes.wsattr(wtypes.IntegerType(), default=None)
|
persistence_timeout = wtypes.wsattr(wtypes.IntegerType(), default=None)
|
||||||
persistence_granularity = wtypes.wsattr(types.IPAddressType(),
|
persistence_granularity = wtypes.wsattr(types.IPAddressType(),
|
||||||
default=None)
|
default=None)
|
||||||
|
@ -67,12 +67,26 @@ class TestL7RulePOST(base.BaseTypesTest):
|
|||||||
body)
|
body)
|
||||||
|
|
||||||
def test_invalid_value(self):
|
def test_invalid_value(self):
|
||||||
body = {"type": "notvalid",
|
body = {"type": constants.L7RULE_TYPE_PATH,
|
||||||
"compare_type": constants.L7RULE_COMPARE_TYPE_STARTS_WITH,
|
"compare_type": constants.L7RULE_COMPARE_TYPE_STARTS_WITH,
|
||||||
"value": 123}
|
"value": 123}
|
||||||
self.assertRaises(exc.InvalidInput, wsme_json.fromjson, self._type,
|
self.assertRaises(exc.InvalidInput, wsme_json.fromjson, self._type,
|
||||||
body)
|
body)
|
||||||
|
|
||||||
|
def test_invalid_value_whitespace(self):
|
||||||
|
body = {"type": constants.L7RULE_TYPE_PATH,
|
||||||
|
"compare_type": constants.L7RULE_COMPARE_TYPE_STARTS_WITH,
|
||||||
|
"value": "12\n3"}
|
||||||
|
self.assertRaises(exc.InvalidInput, wsme_json.fromjson, self._type,
|
||||||
|
body)
|
||||||
|
|
||||||
|
def test_invalid_key_whitespace(self):
|
||||||
|
body = {"type": constants.L7RULE_TYPE_PATH,
|
||||||
|
"compare_type": constants.L7RULE_COMPARE_TYPE_STARTS_WITH,
|
||||||
|
"key": "12\n3"}
|
||||||
|
self.assertRaises(exc.InvalidInput, wsme_json.fromjson, self._type,
|
||||||
|
body)
|
||||||
|
|
||||||
def test_invalid_invert(self):
|
def test_invalid_invert(self):
|
||||||
body = {"type": constants.L7RULE_TYPE_PATH,
|
body = {"type": constants.L7RULE_TYPE_PATH,
|
||||||
"compare_type": constants.L7RULE_COMPARE_TYPE_STARTS_WITH,
|
"compare_type": constants.L7RULE_COMPARE_TYPE_STARTS_WITH,
|
||||||
@ -139,6 +153,16 @@ class TestL7RulePUT(base.BaseTypesTest):
|
|||||||
self.assertRaises(exc.InvalidInput, wsme_json.fromjson, self._type,
|
self.assertRaises(exc.InvalidInput, wsme_json.fromjson, self._type,
|
||||||
body)
|
body)
|
||||||
|
|
||||||
|
def test_invalid_value_linefeed(self):
|
||||||
|
body = {"value": "12\n3"}
|
||||||
|
self.assertRaises(exc.InvalidInput, wsme_json.fromjson, self._type,
|
||||||
|
body)
|
||||||
|
|
||||||
|
def test_invalid_key_linefeed(self):
|
||||||
|
body = {"key": "12\n3"}
|
||||||
|
self.assertRaises(exc.InvalidInput, wsme_json.fromjson, self._type,
|
||||||
|
body)
|
||||||
|
|
||||||
def test_invalid_invert(self):
|
def test_invalid_invert(self):
|
||||||
body = {"invert": "notvalid"}
|
body = {"invert": "notvalid"}
|
||||||
self.assertRaises(ValueError, wsme_json.fromjson, self._type,
|
self.assertRaises(ValueError, wsme_json.fromjson, self._type,
|
||||||
|
@ -210,7 +210,17 @@ class TestSessionPersistencePOST(base.BaseTypesTest, TestSessionPersistence):
|
|||||||
self.assertRaises(exc.InvalidInput, wsme_json.fromjson, self._type,
|
self.assertRaises(exc.InvalidInput, wsme_json.fromjson, self._type,
|
||||||
body)
|
body)
|
||||||
|
|
||||||
|
def test_invalid_app_cookie_name(self):
|
||||||
|
body = {"cookie_name": "cookie,monster"}
|
||||||
|
self.assertRaises(exc.InvalidInput, wsme_json.fromjson, self._type,
|
||||||
|
body)
|
||||||
|
|
||||||
|
|
||||||
class TestSessionPersistencePUT(base.BaseTypesTest, TestSessionPersistence):
|
class TestSessionPersistencePUT(base.BaseTypesTest, TestSessionPersistence):
|
||||||
|
|
||||||
_type = pool_type.SessionPersistencePUT
|
_type = pool_type.SessionPersistencePUT
|
||||||
|
|
||||||
|
def test_invalid_app_cookie_name(self):
|
||||||
|
body = {"cookie_name": "cookie\nmonster"}
|
||||||
|
self.assertRaises(exc.InvalidInput, wsme_json.fromjson, self._type,
|
||||||
|
body)
|
||||||
|
@ -0,0 +1,9 @@
|
|||||||
|
---
|
||||||
|
fixes:
|
||||||
|
- |
|
||||||
|
Fixed validations in L7 rule and session cookie APIs in order to prevent
|
||||||
|
authenticated and authorized users to inject code into HAProxy
|
||||||
|
configuration. CR and LF (\r and \n) are no longer allowed in L7 rule
|
||||||
|
keys and values. The session persistence cookie names must follow the rules
|
||||||
|
described in
|
||||||
|
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie.
|
Loading…
Reference in New Issue
Block a user