Monkey kubeclient to not follow any redirects.
This should prevent any malicious server from responding with a location that will redirect us and expose internal services, as kubeclient's rest-client will no longer follow redirects.
This commit is contained in:
parent
160ed1d7a1
commit
6eb3fc69f6
2 changed files with 26 additions and 0 deletions
5
changelogs/unreleased/security-kubeclient-ssrf.yml
Normal file
5
changelogs/unreleased/security-kubeclient-ssrf.yml
Normal file
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
title: Monkey kubeclient to not follow any redirects.
|
||||
merge_request:
|
||||
author:
|
||||
type: security
|
|
@ -13,4 +13,25 @@ class Kubeclient::Client
|
|||
ns_prefix = build_namespace_prefix(namespace)
|
||||
rest_client["#{ns_prefix}#{entity_name_plural}/#{name}:#{port}/proxy"].url
|
||||
end
|
||||
|
||||
# Monkey patch to set `max_redirects: 0`, so that kubeclient
|
||||
# does not follow redirects and expose internal services.
|
||||
# See https://gitlab.com/gitlab-org/gitlab-ce/issues/53158
|
||||
def create_rest_client(path = nil)
|
||||
path ||= @api_endpoint.path
|
||||
options = {
|
||||
ssl_ca_file: @ssl_options[:ca_file],
|
||||
ssl_cert_store: @ssl_options[:cert_store],
|
||||
verify_ssl: @ssl_options[:verify_ssl],
|
||||
ssl_client_cert: @ssl_options[:client_cert],
|
||||
ssl_client_key: @ssl_options[:client_key],
|
||||
proxy: @http_proxy_uri,
|
||||
user: @auth_options[:username],
|
||||
password: @auth_options[:password],
|
||||
open_timeout: @timeouts[:open],
|
||||
read_timeout: @timeouts[:read],
|
||||
max_redirects: 0
|
||||
}
|
||||
RestClient::Resource.new(@api_endpoint.merge(path).to_s, options)
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in a new issue