Controller: Several security fixes. (#13069)

Co-authored-by: Tabitha Sable <tabitha.c.sable@gmail.com>
2025-03-25 00:00:39 +01:00 · 2025-03-25 00:00:39 +01:00 · 626305229f
commit 626305229f
parent cfd4d89a56
7 changed files with 36 additions and 15 deletions
--- a/internal/ingress/annotations/auth/main.go
+++ b/internal/ingress/annotations/auth/main.go
@ -19,6 +19,7 @@ package auth
 import (
 	"fmt"
 	"os"
+	"path/filepath"
 	"regexp"
 	"strings"

@ -203,16 +204,24 @@ func (a auth) Parse(ing *networking.Ingress) (interface{}, error) {
 		return nil, err
 	}

-	passFilename := fmt.Sprintf("%v/%v-%v-%v.passwd", a.authDirectory, ing.GetNamespace(), ing.UID, secret.UID)
+	passFileName := fmt.Sprintf("%v-%v-%v.passwd", ing.GetNamespace(), ing.UID, secret.UID)
+	passFilePath := filepath.Join(a.authDirectory, passFileName)
+
+	// Ensure password file name does not contain any path traversal characters.
+	if a.authDirectory != filepath.Dir(passFilePath) || passFileName != filepath.Base(passFilePath) {
+		return nil, ing_errors.LocationDeniedError{
+			Reason: fmt.Errorf("invalid password file name: %s", passFileName),
+		}
+	}

 	switch secretType {
 	case fileAuth:
-		err = dumpSecretAuthFile(passFilename, secret)
+		err = dumpSecretAuthFile(passFilePath, secret)
 		if err != nil {
 			return nil, err
 		}
 	case mapAuth:
-		err = dumpSecretAuthMap(passFilename, secret)
+		err = dumpSecretAuthMap(passFilePath, secret)
 		if err != nil {
 			return nil, err
 		}
@ -225,9 +234,9 @@ func (a auth) Parse(ing *networking.Ingress) (interface{}, error) {
 	return &Config{
 		Type:       at,
 		Realm:      realm,
-		File:       passFilename,
+		File:       passFilePath,
 		Secured:    true,
-		FileSHA:    file.SHA1(passFilename),
+		FileSHA:    file.SHA1(passFilePath),
 		Secret:     name,
 		SecretType: secretType,
 	}, nil
--- a/internal/ingress/controller/controller.go
+++ b/internal/ingress/controller/controller.go
@ -420,11 +420,15 @@ func (n *NGINXController) CheckIngress(ing *networking.Ingress) error {
 		return err
 	}

+	/* Deactivated to mitigate CVE-2025-1974
+	// TODO: Implement sandboxing so this test can be done safely
 	err = n.testTemplate(content)
 	if err != nil {
 		n.metricCollector.IncCheckErrorCount(ing.ObjectMeta.Namespace, ing.Name)
 		return err
 	}
+	*/
+
 	n.metricCollector.IncCheckCount(ing.ObjectMeta.Namespace, ing.Name)
 	endCheck := time.Now().UnixNano() / 1000000
 	n.metricCollector.SetAdmissionMetrics(
--- a/internal/ingress/controller/controller_test.go
+++ b/internal/ingress/controller/controller_test.go
@ -250,6 +250,8 @@ func TestCheckIngress(t *testing.T) {
 			}
 		})

+		/* Deactivated to mitigate CVE-2025-1974
+		// TODO: Implement sandboxing so this test can be done safely
 		t.Run("When nginx test returns an error", func(t *testing.T) {
 			nginx.command = testNginxTestCommand{
 				t:        t,
@ -261,6 +263,7 @@ func TestCheckIngress(t *testing.T) {
 				t.Errorf("with a new ingress with an error, an error should be returned")
 			}
 		})
+		*/

 		t.Run("When the default annotation prefix is used despite an override", func(t *testing.T) {
 			defer func() {
--- a/internal/ingress/controller/template/template.go
+++ b/internal/ingress/controller/template/template.go
@ -1627,11 +1627,11 @@ func buildMirrorLocations(locs []*ingress.Location) string {
 		mapped.Insert(loc.Mirror.Source)
 		buffer.WriteString(fmt.Sprintf(`location = %v {
 internal;
-proxy_set_header Host "%v";
-proxy_pass "%v";
+proxy_set_header Host %v;
+proxy_pass %v;
 }

-`, loc.Mirror.Source, loc.Mirror.Host, loc.Mirror.Target))
+`, strconv.Quote(loc.Mirror.Source), strconv.Quote(loc.Mirror.Host), strconv.Quote(loc.Mirror.Target)))
 	}

 	return buffer.String()