Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[3.4] Backport disable redirects in peer communication #17112

Merged
merged 1 commit into from
Dec 13, 2023
Merged

[3.4] Backport disable redirects in peer communication #17112

merged 1 commit into from
Dec 13, 2023

Conversation

ivanvc
Copy link
Member

@ivanvc ivanvc commented Dec 13, 2023

Disable following redirects from peer HTTP communication on the client's side. Etcd server may run into SSRF (Server-side request forgery) when adding a new member. If users provide a malicious peer URL, the existing etcd members may be redirected to another unexpected internal URL when getting the new member's version.

Related to #16969

Please read https://github.com/etcd-io/etcd/blob/main/CONTRIBUTING.md#contribution-flow.

@ivanvc
server: disable redirects in peer communication
838cd9a 
Disable following redirects from peer HTTP communication on the client's side.
Etcd server may run into SSRF (Server-side request forgery) when adding a new
member. If users provide a malicious peer URL, the existing etcd members may be
redirected to another unexpected internal URL when getting the new member's
version.

Signed-off-by: Ivan Valdes <ivan@vald.es>
@k8s-ci-robot
Copy link

Hi @ivanvc. Thanks for your PR.

I'm waiting for a etcd-io member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

jmhbnz
jmhbnz approved these changes Dec 13, 2023
View reviewed changes
Copy link
Member

@jmhbnz jmhbnz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM - Thanks @ivanvc

ahrtr
ahrtr approved these changes Dec 13, 2023
View reviewed changes
Copy link
Member

@ahrtr ahrtr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

Could you add a chanagelog item for 3.4? Thanks

@ahrtr ahrtr merged commit 4fe68b4 into etcd-io:release-3.4 Dec 13, 2023
12 checks passed
@ivanvc ivanvc deleted the release-3.4-backport-ssrf branch December 13, 2023 20:00
@ivanvc
Copy link
Member Author

ivanvc commented Dec 13, 2023

lgtm

Could you add a chanagelog item for 3.4? Thanks

Should I do the same for 3.5?

@jmhbnz
Copy link
Member

jmhbnz commented Dec 13, 2023

Should I do the same for 3.5?

There is an existing 3.5 changelog 443af24. I do note we only called out the member addition as that was the perceived security risk. Let's add something similar for 3.4, can maybe make the message a bit broader.

@ivanvc ivanvc mentioned this pull request Dec 13, 2023
Merged
@ahrtr ahrtr mentioned this pull request Jan 8, 2024
Closed
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ahrtr ahrtr ahrtr approved these changes

@jmhbnz jmhbnz jmhbnz approved these changes

Assignees
No one assigned
Labels
ok-to-test
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@ivanvc @k8s-ci-robot @jmhbnz @ahrtr