fix path cleaning of proxied urls #22671
Conversation
sanikachavan5
added
backport/all
| // handler, can't backtrack far enough to eat into the BaseURL either. But we | ||
| // leave this in anyway in case something changes in the future. | ||
| if !strings.HasPrefix(u.String(), cfg.BaseURL) { | ||
|
|
There was a problem hiding this comment.
can we add UT for this
.changelog/22671.txt
Outdated
| @@ -0,0 +1,3 @@ | |||
| ```release-note:security | |||
| security: Fix path cleaning of proxied urls. | |||
There was a problem hiding this comment.
Nit : security: Fixed proxied URL path validation to prevent path traversal.
dduzgun-security
left a comment
dduzgun-security
left a comment
There was a problem hiding this comment.
Thanks a lot for working on this, I've added few comments on the PR to review
sanikachavan5
force-pushed
the
sanikachavan5/SECVULN-25362-fix-path-cleaning-of-proxied-urls
branch
from
341333c to
0753e55
Compare
dduzgun-security
left a comment
dduzgun-security
left a comment
There was a problem hiding this comment.
LGTM, thanks for addressing the comments.
hc-github-team-consul-core
added
the
backport/1.21
* fix path cleaning of proxied urls * add changelog * added more tests * add tests and address review comments * address review changes
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.18,1.19,1.20,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
7 similar comments
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.18,1.19,1.20,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.18,1.19,1.20,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.18,1.19,1.20,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.18,1.19,1.20,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.18,1.19,1.20,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.18,1.19,1.20,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.18,1.19,1.20,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.18,1.19,1.20,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
4 similar comments
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.18,1.19,1.20,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.18,1.19,1.20,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.18,1.19,1.20,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.18,1.19,1.20,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.19,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
3 similar comments
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.19,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.19,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.19,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.19] please perform the backport manually and add the following snippet to your backport PR description: |
20 similar comments
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.19] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.19] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.19] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.19] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.19] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.19] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.19] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.19] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.19] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.19] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.19] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.19] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.19] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.19] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.19] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.19] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.19] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.19] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.19] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22671] for versions [1.19] please perform the backport manually and add the following snippet to your backport PR description: |
5 participants
Description
This pull request addresses a security issue in the
UIMetricsProxyhandler by improving how proxied URL paths are cleaned and validated to prevent path traversal attacks. The main focus is on ensuring that user-supplied paths cannot escape the intended base URL, even in edge cases.Security improvements to URL path handling:
path.Cleanwith a leading slash to ensure that any../segments are properly removed, preventing path traversal attacks. (agent/ui_endpoint.go)agent/ui_endpoint.go)Base URL validation enhancements:
agent/ui_endpoint.go)Testing & Reproduction steps
Links
PR Checklist
PCI review checklist
I have documented a clear reason for, and description of, the change I am making.
If applicable, I've documented a plan to revert these changes if they require more than reverting the pull request.
If applicable, I've documented the impact of any changes to security controls.
Examples of changes to security controls include using new access control methods, adding or removing logging pipelines, etc.