Use a named location for authSignURL (#4859)

2019-12-24 22:50:25 -03:00 · 2019-12-24 22:50:25 -03:00 · a0523c3c8a
commit a0523c3c8a
parent d83b83bc0d
6 changed files with 126 additions and 22 deletions
--- a/test/e2e/e2e.go
+++ b/test/e2e/e2e.go
@ -38,6 +38,7 @@ import (
 	_ "k8s.io/ingress-nginx/test/e2e/leaks"
 	_ "k8s.io/ingress-nginx/test/e2e/loadbalance"
 	_ "k8s.io/ingress-nginx/test/e2e/lua"
+	_ "k8s.io/ingress-nginx/test/e2e/security"
 	_ "k8s.io/ingress-nginx/test/e2e/servicebackend"
 	_ "k8s.io/ingress-nginx/test/e2e/settings"
 	_ "k8s.io/ingress-nginx/test/e2e/ssl"
--- a/test/e2e/security/request_smuggling.go
+++ b/test/e2e/security/request_smuggling.go
@ -0,0 +1,99 @@
+/*
+Copyright 2019 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package security
+
+import (
+	"bufio"
+	"fmt"
+	"net"
+	"strings"
+	"time"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+
+	"k8s.io/ingress-nginx/test/e2e/framework"
+)
+
+var _ = framework.IngressNginxDescribe("Request smuggling", func() {
+	f := framework.NewDefaultFramework("request-smuggling")
+
+	BeforeEach(func() {
+		f.NewEchoDeployment()
+	})
+
+	AfterEach(func() {
+	})
+
+	It("should not return body content from error_page", func() {
+		host := "foo.bar.com"
+
+		snippet := `
+server {
+	listen 80;
+	server_name notlocalhost;
+	location /_hidden/index.html {
+	return 200 'This should be hidden!';
+	}
+}`
+
+		f.UpdateNginxConfigMapData("http-snippet", snippet)
+
+		ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, map[string]string{
+			"nginx.ingress.kubernetes.io/auth-signin": "https://httpbin.org/uuid",
+			"nginx.ingress.kubernetes.io/auth-url":    "https://httpbin.org/basic-auth/user/passwd",
+		})
+		f.EnsureIngress(ing)
+
+		f.WaitForNginxServer(host,
+			func(server string) bool {
+				return strings.Contains(server, fmt.Sprintf("server_name %v", host))
+			})
+
+		out, err := smugglingRequest(host, f.GetNginxIP(), 80)
+		Expect(err).NotTo(HaveOccurred(), "obtaining response of request smuggling check")
+		Expect(out).ShouldNot(ContainSubstring("This should be hidden!"))
+	})
+})
+
+func smugglingRequest(host, addr string, port int) (string, error) {
+	conn, err := net.Dial("tcp", fmt.Sprintf("%v:%v", addr, port))
+	if err != nil {
+		return "", err
+	}
+
+	defer conn.Close()
+
+	conn.SetDeadline(time.Now().Add(time.Second * 10))
+
+	_, err = fmt.Fprintf(conn, "GET /echo HTTP/1.1\r\nHost: %v\r\nContent-Length: 56\r\n\r\nGET /_hidden/index.html HTTP/1.1\r\nHost: notlocalhost\r\n\r\n", host)
+	if err != nil {
+		return "", err
+	}
+
+	// wait for /_hidden/index.html response
+	time.Sleep(1 * time.Second)
+
+	var buf = make([]byte, 1024)
+	r := bufio.NewReader(conn)
+	_, err = r.Read(buf)
+	if err != nil {
+		return "", err
+	}
+
+	return string(buf), nil
+}