CORS configuration from annotation fails penetration test #12230
Comments
|
This issue is currently awaiting triage. If Ingress contributors determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
k8s-ci-robot
added
needs-triage
|
/remove-kind bug We need a CORS expert to comment here. There was some work done to harden the CORS config. If you can not set more than the allowed origin, its bad for you but good for the project, as the risk is less when compared to allowing whatever origins you want to be set.. |
|
@longwuyuan: GuidelinesPlease ensure that the issue body includes answers to the following questions:
For more details on the requirements of such an issue, please see here and ensure that they are met. If this request no longer meets these requirements, the label can be removed In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
k8s-ci-robot
added
kind/support
|
Ingress NGINX Controller v1.9.4 is no longer supported. Please update to a more recent Controller version and try again. I remember some changes to CORS in the newer releases. |
|
As you can see from this link the logic for building the CORS configuration with the origin wrapped inside a if statement is there even in the main branch, so there is no point to perform an update for this specific issue. |
What happened:
When adding the CORS annotation for thee allowed origin:
the generated configuration looks like this:
if ($http_origin ~* ((https://mydomain\.com))$ ) { set $cors 'true'; }This configuration limits the setting of $cors to true only for requests with origin matching https://mydomain.com and it does not enforce CORS setting for all the other requests.
For this reason penetration tests for the CORS settings fails because don't satisfy basic requirements for CORS enforcement (see https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/07-Testing_Cross_Origin_Resource_Sharing)
What you expected to happen:
You would expect that when enabled by the annotation the CORS settings are applied according to standards, and specifically the if statement before mentioned should instead be removed forcing the allowed origin to be set as specified by the annotation.
The template engine should be modified to rectify this vulnerability.
NGINX Ingress controller version (exec into the pod and run nginx-ingress-controller --version.):
registry.k8s.io/ingress-nginx/controller:v1.9.4@sha256:5b161f051d017e55d358435f295f5e9a297e66158f136321d9b04520ec6c48a3
Kubernetes version (use
kubectl version):1.27.10
Environment:
Cloud provider or hardware configuration: Oracle Cloud
OS (e.g. from /etc/os-release):NAME=
"Alpine Linux"
ID=alpine
VERSION_ID=3.18.4
PRETTY_NAME="Alpine Linux v3.18"
HOME_URL="https://alpinelinux.org/"
BUG_REPORT_URL="https://gitlab.alpinelinux.org/alpine/aports/-/issues"
Kernel (e.g.
uname -a): Linux ingress-nginx-controller-cdcb6469d-j4t9f 5.15.0-206.153.7.el8uek.x86_64 Figure out documentation layout #2 SMP Thu May 9 15:52:29 PDT 2024 x86_64 LinuxOthers:
This should be the part of the code that generates the issue:
ingress-nginx/internal/ingress/controller/template/template.go
Line 1686 in dc3acbd
How to reproduce this issue:
Just set the following annotations to an ingress and check the resulting nginx.conf generated:
Anything else we need to know:
OWASP documentation: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/07-Testing_Cross_Origin_Resource_Sharing
CORS configuration reference example: https://enable-cors.org/server_nginx.html
The text was updated successfully, but these errors were encountered: