From a9919fefda9973c1d82e4aeeb1959e33d712fbde Mon Sep 17 00:00:00 2001 From: Pim van Nierop Date: Thu, 11 Apr 2024 12:09:24 +0200 Subject: [PATCH] Add path rewrite to radar_gateway Nginx decodes the uri before passing it to the backend server. This is dangerous because it can allow for XSS attacks. Grizzly servers have a bug where they send the decoded uri as part of error messages (see https://github.com/Graylog2/graylog2-server/issues/3171). To prevent this, we need to re-encode the uri ($request_uri is the original encoded request) before passing it to the Grizzly server. --- etc/radar-gateway/values.yaml | 8 ++++++++ helmfile.d/20-ingestion.yaml | 1 + 2 files changed, 9 insertions(+) create mode 100644 etc/radar-gateway/values.yaml diff --git a/etc/radar-gateway/values.yaml b/etc/radar-gateway/values.yaml new file mode 100644 index 00000000..22efb53a --- /dev/null +++ b/etc/radar-gateway/values.yaml @@ -0,0 +1,8 @@ +ingress: + annotations: + # Nginx decodes the uri before passing it to the backend server. This is dangerous because it can allow for XSS + # attacks. Grizzly servers have a bug where they send the decoded uri as part of error messages (see + # https://github.com/Graylog2/graylog2-server/issues/3171). To prevent this, we need to re-encode the uri + # ($request_uri is the original encoded request) before passing it to the Grizzly server. + nginx.ingress.kubernetes.io/configuration-snippet: | + rewrite ^ $request_uri; \ No newline at end of file diff --git a/helmfile.d/20-ingestion.yaml b/helmfile.d/20-ingestion.yaml index 422d122f..0356f95a 100644 --- a/helmfile.d/20-ingestion.yaml +++ b/helmfile.d/20-ingestion.yaml @@ -13,6 +13,7 @@ releases: timeout: {{ add .Values.base_timeout .Values.radar_gateway._extra_timeout }} <<: *logFailedRelease values: + - "../etc/radar-gateway/values.yaml" - {{ .Values.radar_gateway | toYaml | indent 8 | trim }} - {{ .Values.confluent_cloud | toYaml | indent 8 | trim }} set: