Controller: Several security fixes. (#13069)

Co-authored-by: Tabitha Sable <tabitha.c.sable@gmail.com>
2025-03-25 00:00:39 +01:00 · 2025-03-25 00:00:39 +01:00 · 626305229f
commit 626305229f
parent cfd4d89a56
7 changed files with 36 additions and 15 deletions
--- a/test/e2e/admission/admission.go
+++ b/test/e2e/admission/admission.go
@ -26,7 +26,6 @@ import (

 	"github.com/onsi/ginkgo/v2"
 	"github.com/stretchr/testify/assert"
-	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

 	"k8s.io/ingress-nginx/test/e2e/framework"
@ -99,6 +98,8 @@ var _ = framework.IngressNginxDescribeSerial("[Admission] admission controller",
 		assert.NotNil(ginkgo.GinkgoT(), err, "creating an ingress with invalid path should return an error")
 	})

+	/* Deactivated to mitigate CVE-2025-1974
+	// TODO: Implement sandboxing so this test can be done safely
 	ginkgo.It("should return an error if there is an error validating the ingress definition", func() {
 		disableSnippet := f.AllowSnippetConfiguration()
 		defer disableSnippet()
@ -112,6 +113,7 @@ var _ = framework.IngressNginxDescribeSerial("[Admission] admission controller",
 		_, err := f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Create(context.TODO(), firstIngress, metav1.CreateOptions{})
 		assert.NotNil(ginkgo.GinkgoT(), err, "creating an ingress with invalid configuration should return an error")
 	})
+	*/

 	ginkgo.It("should return an error if there is an invalid value in some annotation", func() {
 		host := admissionTestHost
@ -207,6 +209,8 @@ var _ = framework.IngressNginxDescribeSerial("[Admission] admission controller",
 			Status(http.StatusOK)
 	})

+	/* Deactivated to mitigate CVE-2025-1974
+	// TODO: Implement sandboxing so this test can be done safely
 	ginkgo.It("should return an error if the Ingress V1 definition contains invalid annotations", func() {
 		disableSnippet := f.AllowSnippetConfiguration()
 		defer disableSnippet()
@ -220,6 +224,7 @@ var _ = framework.IngressNginxDescribeSerial("[Admission] admission controller",
 			assert.NotNil(ginkgo.GinkgoT(), err, "creating an ingress with invalid configuration should return an error")
 		}
 	})
+	*/

 	ginkgo.It("should not return an error for an invalid Ingress when it has unknown class", func() {
 		disableSnippet := f.AllowSnippetConfiguration()
--- a/test/e2e/annotations/mirror.go
+++ b/test/e2e/annotations/mirror.go
@ -43,7 +43,7 @@ var _ = framework.DescribeAnnotation("mirror-*", func() {

 		f.WaitForNginxServer(host,
 			func(server string) bool {
-				return strings.Contains(server, fmt.Sprintf("mirror /_mirror-%v;", ing.UID)) &&
+				return strings.Contains(server, fmt.Sprintf("mirror \"/_mirror-%v\";", ing.UID)) &&
 					strings.Contains(server, "mirror_request_body on;")
 			})
 	})
@ -58,7 +58,7 @@ var _ = framework.DescribeAnnotation("mirror-*", func() {

 		f.WaitForNginxServer(host,
 			func(server string) bool {
-				return strings.Contains(server, fmt.Sprintf("mirror /_mirror-%v;", ing.UID)) &&
+				return strings.Contains(server, fmt.Sprintf("mirror \"/_mirror-%v\";", ing.UID)) &&
 					strings.Contains(server, "mirror_request_body on;") &&
 					strings.Contains(server, `proxy_pass "https://test.env.com/$request_uri";`)
 			})
@ -75,7 +75,7 @@ var _ = framework.DescribeAnnotation("mirror-*", func() {

 		f.WaitForNginxServer(host,
 			func(server string) bool {
-				return strings.Contains(server, fmt.Sprintf("mirror /_mirror-%v;", ing.UID)) &&
+				return strings.Contains(server, fmt.Sprintf("mirror \"/_mirror-%v\";", ing.UID)) &&
 					strings.Contains(server, "mirror_request_body off;")
 			})
 	})