Add path rewrite to radar_gateway

Nginx decodes the uri before passing it to the backend server. This is dangerous because it can allow for XSS attacks. Grizzly servers have a bug where they send the decoded uri as part of error messages (see Graylog2/graylog2-server#3171). To prevent this, we need to re-encode the uri ($request_uri is the original encoded request) before passing it to the Grizzly server.
RADAR-base · Apr 11, 2024 · a9919fe · a9919fe
1 parent 71859d3
commit a9919fe
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 0 deletions.
diff --git a/etc/radar-gateway/values.yaml b/etc/radar-gateway/values.yaml
@@ -0,0 +1,8 @@
+ingress:
+  annotations:
+    # Nginx decodes the uri before passing it to the backend server. This is dangerous because it can allow for XSS
+    # attacks. Grizzly servers have a bug where they send the decoded uri as part of error messages (see
+    # https://github.com/Graylog2/graylog2-server/issues/3171). To prevent this, we need to re-encode the uri
+    # ($request_uri is the original encoded request) before passing it to the Grizzly server.
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      rewrite ^ $request_uri;
diff --git a/helmfile.d/20-ingestion.yaml b/helmfile.d/20-ingestion.yaml
@@ -13,6 +13,7 @@ releases:
     timeout: {{ add .Values.base_timeout .Values.radar_gateway._extra_timeout }}
     <<: *logFailedRelease    
     values:
+      - "../etc/radar-gateway/values.yaml"
       - {{ .Values.radar_gateway | toYaml | indent 8 | trim }}
       - {{ .Values.confluent_cloud | toYaml | indent 8 | trim }}
     set: