Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: drop path normalization to MERGE_SLASHES to allow apps to handle encoded slashes #330

Merged
merged 16 commits into from
Apr 11, 2024
Merged

fix: drop path normalization to MERGE_SLASHES to allow apps to handle encoded slashes #330

merged 16 commits into from
Apr 11, 2024

Conversation

Racer159
Copy link
Contributor

@Racer159 Racer159 commented Apr 5, 2024
edited

Description

PR to address DECODE_AND_MERGE_SLASHES causing issues in certain applications. Gives the ability to selectively turn this off in a namespace with the UDSPackage CR.

Related Issue

Fixes #288

Type of change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Other (security config, docs update, etc)

Checklist before merging

@Racer159 Racer159 changed the title feat: add configurable encoded slash handling behavior to s feat: add configurable encoded slash handling behavior to UDSPackages Apr 5, 2024
@Racer159 Racer159 changed the title feat: add configurable encoded slash handling behavior to UDSPackages feat: add configurable encoded slash handling behavior to UDSPackage Apr 5, 2024
@Racer159
Copy link
Contributor Author

Racer159 commented Apr 5, 2024

Post changes with retain slashes set to true:
image
Pre changes (and without retain slashes):
image

(Decided to leave path normalization on except for decoding slashes since it shouldn't really hurt anything - I don't know of any apps that expect double slashes or other weird slash configs)

@Racer159 Racer159 marked this pull request as ready for review April 5, 2024 17:24
@Racer159 Racer159 requested a review from a team as a code owner April 5, 2024 17:24
jeff-mccoy
jeff-mccoy previously requested changes Apr 6, 2024
View reviewed changes
Copy link
Member

@jeff-mccoy jeff-mccoy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Holding this one hostage until we discuss further, I really don't think we should do this and would rather remove the Istio Path Normalization than add all this complexity.

@Racer159
Copy link
Contributor Author

Racer159 commented Apr 7, 2024

Holding this one hostage until we discuss further, I really don't think we should do this and would rather remove the Istio Path Normalization than add all this complexity.

Yep got no problem with that, was fun learning more about Istio anyway 😅

@bburky
Copy link
Member

bburky commented Apr 8, 2024
edited

@jeff-mccoy

Holding this one hostage until we discuss further, I really don't think we should do this and would rather remove the Istio Path Normalization than add all this complexity.

Ok.

We'll likely be unable to use path-based AuthorizationPolices with any confidence across all of UDS without careful review of each app individually. I would have liked to have had the ability to use AuthorizationPolices to apply CVE mitigations on UDS apps, see #288 (comment) for more context. In theory we can still do this, but we'll have to review each app's URL decoding implementation before doing so.

For Keycloak specifically, MERGE_SLASHES seems to be sufficient. I did some light manual testing, and //admin is still blocked (redirected) with MERGE_SLASHES, /%2fadmin is now a keycloak error (good, not allowed through). A cursory review of the source code (in vertx via quarkus via keycloak), suggests only alpha, didgit, hyphen, period, underscore and tilde characters are URL decoded:
https://github.com/eclipse-vertx/vert.x/blob/5832acf2fb22ed0301c396d4c3a7c316005e2939/src/main/java/io/vertx/core/http/impl/HttpUtils.java#L317-L329

At least MERGE_SLASHES level of normalization is required if we use path-based AuthorizationPolicies on Keycloak, because Keycloak merges // into / (example: //admin is a valid URL). This is because Keycloak implements this non-standard (but common, as they note) normalization:
https://github.com/eclipse-vertx/vert.x/blob/5832acf2fb22ed0301c396d4c3a7c316005e2939/src/main/java/io/vertx/core/http/impl/HttpUtils.java#L390-L393

@Racer159 Racer159 changed the title feat: add configurable encoded slash handling behavior to UDSPackage fix: drop path normalization to MERGE_SLASHES to allow apps to handle encoded slashes Apr 8, 2024
@Racer159 Racer159 requested a review from jeff-mccoy April 8, 2024 18:08
mjnagel
mjnagel approved these changes Apr 10, 2024
View reviewed changes
Copy link
Contributor

@mjnagel mjnagel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Thanks for the fix here!

@mjnagel mjnagel dismissed jeff-mccoy’s stale review April 10, 2024 21:51

Dismissing this as the target change pivoted from the original envoyfilter approach.

@mjnagel mjnagel merged commit 26e965f into main Apr 11, 2024
9 checks passed
@mjnagel mjnagel deleted the 288-allow-configure-decode-slashes branch April 11, 2024 13:56
@github-actions github-actions bot mentioned this pull request Apr 11, 2024
Merged
mjnagel pushed a commit that referenced this pull request Apr 12, 2024
@github-actions
chore(main): release 0.19.0 (#320)
4ce502b 
🤖 I have created a release *beep* *boop*
---


##
[0.19.0](v0.18.0...v0.19.0)
(2024-04-12)


### Features

* add nightly testing eks
([#250](#250))
([543b09d](543b09d))


### Bug Fixes

* drop path normalization to MERGE_SLASHES to allow apps to handle
encoded slashes
([#330](#330))
([26e965f](26e965f))
* loki bucket configuration service_account and namespace
([#332](#332))
([9518634](9518634))


### Miscellaneous

* **deps:** update grafana
([#257](#257))
([c98e566](c98e566))
* **deps:** update metrics-server
([#298](#298))
([691fd87](691fd87))
* **deps:** update pepr
([#324](#324))
([2ef0f96](2ef0f96))
* **deps:** update pepr to v0.28.7
([#321](#321))
([e7206bb](e7206bb))
* **deps:** update promtail
([#74](#74))
([6a112b5](6a112b5))
* **deps:** update zarf to v0.32.6
([#282](#282))
([443426d](443426d))
* **deps:** update zarf to v0.33.0
([#325](#325))
([f2a2a66](f2a2a66))
* update codeowners
([#338](#338))
([c419574](c419574))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mjnagel mjnagel mjnagel approved these changes

@jeff-mccoy jeff-mccoy Awaiting requested review from jeff-mccoy

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Istio DECODE_AND_MERGE_SLASHES option breaks GitLab
4 participants
@Racer159 @bburky @jeff-mccoy @mjnagel