Commit 6eb3fc69 authored by Thong Kuah's avatar Thong Kuah Committed by Mayra Cabrera

Monkey kubeclient to not follow any redirects.

This should prevent any malicious server from responding with a location
that will redirect us and expose internal services, as kubeclient's
rest-client will no longer follow redirects.
parent 160ed1d7
---
title: Monkey kubeclient to not follow any redirects.
merge_request:
author:
type: security
...@@ -13,4 +13,25 @@ class Kubeclient::Client ...@@ -13,4 +13,25 @@ class Kubeclient::Client
ns_prefix = build_namespace_prefix(namespace) ns_prefix = build_namespace_prefix(namespace)
rest_client["#{ns_prefix}#{entity_name_plural}/#{name}:#{port}/proxy"].url rest_client["#{ns_prefix}#{entity_name_plural}/#{name}:#{port}/proxy"].url
end end
# Monkey patch to set `max_redirects: 0`, so that kubeclient
# does not follow redirects and expose internal services.
# See https://gitlab.com/gitlab-org/gitlab-ce/issues/53158
def create_rest_client(path = nil)
path ||= @api_endpoint.path
options = {
ssl_ca_file: @ssl_options[:ca_file],
ssl_cert_store: @ssl_options[:cert_store],
verify_ssl: @ssl_options[:verify_ssl],
ssl_client_cert: @ssl_options[:client_cert],
ssl_client_key: @ssl_options[:client_key],
proxy: @http_proxy_uri,
user: @auth_options[:username],
password: @auth_options[:password],
open_timeout: @timeouts[:open],
read_timeout: @timeouts[:read],
max_redirects: 0
}
RestClient::Resource.new(@api_endpoint.merge(path).to_s, options)
end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment