[Backport release-1.5] Fix: forbid 302 request to avoid SSRF (#5003 )

* fix helm chart list endpoint SSRF CVE Signed-off-by: 楚岳 <wangyike.wyk@alibaba-inc.com> (cherry picked from commit 8883a6219d) * revert error log Signed-off-by: 楚岳 <wangyike.wyk@alibaba-inc.com> (cherry picked from commit e1e6972b17) * change with const value Signed-off-by: 楚岳 <wangyike.wyk@alibaba-inc.com> fix ci Signed-off-by: 楚岳 <wangyike.wyk@alibaba-inc.com> (cherry picked from commit fbeacb0a6b) Co-authored-by: 楚岳 <wangyike.wyk@alibaba-inc.com>
fix gitlab addon registry (#4938 )
2026-03-02 01:30:47 +00:00 · 2022-11-04 20:16:53 +08:00 · 2022-10-27 22:19:34 +08:00 · 2022-10-22 13:27:07 +08:00 · 2022-10-20 16:37:25 +08:00
9 changed files with 67 additions and 37 deletions
--- a/makefiles/dependency.mk
+++ b/makefiles/dependency.mk
@@ -80,7 +80,7 @@ ifeq (, $(shell which readme-generator))
 	@{ \
 	set -e ;\
 	echo 'installing readme-generator-for-helm' ;\
-	npm install -g readme-generator-for-helm ;\
+	npm install -g @bitnami/readme-generator-for-helm ;\
 	}
 else
 	@$(OK) readme-generator-for-helm is already installed
--- a/pkg/utils/common/common.go
+++ b/pkg/utils/common/common.go
@@ -79,9 +79,15 @@ import (
 var (
 	// Scheme defines the default KubeVela schema
 	Scheme = k8sruntime.NewScheme()
+	// forbidRedirectFunc general check func for http redirect response
+	forbidRedirectFunc = func(req *http.Request, via []*http.Request) error {
+		return errors.New("got a redirect response which is forbidden")
+	}
 	//nolint:gosec
 	// insecureHTTPClient insecure http client
-	insecureHTTPClient = &http.Client{Transport: &http.Transport{TLSClientConfig: &tls.Config{InsecureSkipVerify: true}}}
+	insecureHTTPClient = &http.Client{Transport: &http.Transport{TLSClientConfig: &tls.Config{InsecureSkipVerify: true}}, CheckRedirect: forbidRedirectFunc}
+	// forbidRedirectClient is a http client forbid redirect http request
+	forbidRedirectClient = &http.Client{CheckRedirect: forbidRedirectFunc}
 )

 const (
@@ -169,7 +175,7 @@ func HTTPGetResponse(ctx context.Context, url string, opts *HTTPOption) (*http.R
 	if err != nil {
 		return nil, err
 	}
-	httpClient := http.DefaultClient
+	httpClient := forbidRedirectClient
 	if opts != nil && len(opts.Username) != 0 && len(opts.Password) != 0 {
 		req.SetBasicAuth(opts.Username, opts.Password)
 	}
@@ -197,7 +203,7 @@ func HTTPGetResponse(ctx context.Context, url string, opts *HTTPOption) (*http.R
 		}
 		tr.TLSClientConfig = tlsConfig
 		defer tr.CloseIdleConnections()
-		httpClient = &http.Client{Transport: &tr}
+		httpClient = &http.Client{Transport: &tr, CheckRedirect: forbidRedirectFunc}
 	}
 	return httpClient.Do(req)
 }
--- a/pkg/utils/common/common_test.go
+++ b/pkg/utils/common/common_test.go
@@ -26,6 +26,7 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
+	"strings"
 	"testing"
 	"time"

@@ -223,6 +224,25 @@ func TestHttpGetCaFile(t *testing.T) {
 	}
 }

+func TestHttpGetForbidRedirect(t *testing.T) {
+	var ctx = context.Background()
+	testServer := &http.Server{Addr: ":19090"}
+
+	http.HandleFunc("/redirect", func(writer http.ResponseWriter, request *http.Request) {
+		http.Redirect(writer, request, "http://192.168.1.1", http.StatusFound)
+	})
+
+	go func() {
+		err := testServer.ListenAndServe()
+		assert.NoError(t, err)
+	}()
+	time.Sleep(time.Millisecond)
+
+	_, err := HTTPGetWithOption(ctx, "http://127.0.0.1:19090/redirect", nil)
+	assert.Error(t, err)
+	assert.True(t, strings.Contains(err.Error(), "got a redirect response which is forbidden"))
+}
+
 func TestGetCUEParameterValue(t *testing.T) {
 	type want struct {
 		err error
--- a/pkg/utils/helm/helm_helper.go
+++ b/pkg/utils/helm/helm_helper.go
@@ -225,7 +225,7 @@ func (h *Helper) GetIndexInfo(repoURL string, skipCache bool, opts *common.HTTPO
 	}
 	i := &repo.IndexFile{}
 	if err := yaml.UnmarshalStrict(body, i); err != nil {
-		return nil, fmt.Errorf("parse index file from %s failure %w", repoURL, err)
+		return nil, fmt.Errorf("parse index file from %s failure", repoURL)
 	}

 	if h.cache != nil {
--- a/pkg/velaql/providers/query/endpoint.go
+++ b/pkg/velaql/providers/query/endpoint.go
@@ -211,10 +211,10 @@ func generatorFromService(service corev1.Service, selectorNodeIP func() string,
 			appp := judgeAppProtocol(port.Port)
 			for _, ingress := range service.Status.LoadBalancer.Ingress {
 				if ingress.Hostname != "" {
-					serviceEndpoints = append(serviceEndpoints, formatEndpoint(ingress.Hostname, appp, port.Name, port.Protocol, port.NodePort, false))
+					serviceEndpoints = append(serviceEndpoints, formatEndpoint(ingress.Hostname, appp, port.Name, port.Protocol, port.Port, false))
 				}
 				if ingress.IP != "" {
-					serviceEndpoints = append(serviceEndpoints, formatEndpoint(ingress.IP, appp, port.Name, port.Protocol, port.NodePort, false))
+					serviceEndpoints = append(serviceEndpoints, formatEndpoint(ingress.IP, appp, port.Name, port.Protocol, port.Port, false))
 				}
 			}
 		}
--- a/pkg/velaql/providers/query/endpoint_test.go
+++ b/pkg/velaql/providers/query/endpoint_test.go
@@ -165,7 +165,7 @@ var _ = Describe("Test Query Provider", func() {
 				{
 					"name": "seldon-ambassador-2",
 					"ports": []corev1.ServicePort{
-						{Port: 80, TargetPort: intstr.FromInt(80), Name: "80port", NodePort: 30010},
+						{Port: 80, TargetPort: intstr.FromInt(80), Name: "80port"},
 					},
 					"type": corev1.ServiceTypeLoadBalancer,
 					"status": corev1.ServiceStatus{
@@ -248,11 +248,11 @@ var _ = Describe("Test Query Provider", func() {
 			Expect(err).Should(BeNil())

 			urls := []string{
-				"http://1.1.1.1:30010/seldon/default/sdep2",
+				"http://1.1.1.1/seldon/default/sdep2",
 				"http://clusterip-2.default",
 				"clusterip-2.default:81",
-				"http://2.2.2.2:30020",
-				"http://1.1.1.1:30010",
+				"http://2.2.2.2:8080",
+				"http://1.1.1.1",
 			}
 			endValue, err := v.Field("list")
 			Expect(err).Should(BeNil())
--- a/pkg/velaql/providers/query/handler_test.go
+++ b/pkg/velaql/providers/query/handler_test.go
@@ -937,13 +937,13 @@ options: {
 			"https://ingress.domain.path/test",
 			"https://ingress.domain.path/test2",
 			fmt.Sprintf("http://%s:30229", gatewayIP),
-			"http://10.10.10.10:30080",
-			"http://text.example.com:30080",
-			"10.10.10.10:30081",
-			"text.example.com:30081",
+			"http://10.10.10.10",
+			"http://text.example.com",
+			"10.10.10.10:81",
+			"text.example.com:81",
 			fmt.Sprintf("http://%s:30002", gatewayIP),
 			"http://ingress.domain.helm",
-			"http://1.1.1.1:30011/seldon/default/sdep",
+			"http://1.1.1.1/seldon/default/sdep",
 			"http://gateway.domain",
 			"http://gateway.domain/api",
 			"https://demo.kubevela.net",
--- a/references/cli/addon-registry.go
+++ b/references/cli/addon-registry.go
@@ -31,19 +31,20 @@ import (
 )

 const (
-	addonRegistryType        = "type"
-	addonEndpoint            = "endpoint"
-	addonOssBucket           = "bucket"
-	addonPath                = "path"
-	addonGitToken            = "gitToken"
-	addonOssType             = "OSS"
-	addonGitType             = "git"
-	addonGiteeType           = "gitee"
-	addonGitlabType          = "gitlab"
-	addonHelmType            = "helm"
-	addonUsername            = "username"
-	addonPassword            = "password"
-	addonRepoName            = "repoName"
+	addonRegistryType = "type"
+	addonEndpoint     = "endpoint"
+	addonOssBucket    = "bucket"
+	addonPath         = "path"
+	addonGitToken     = "gitToken"
+	addonOssType      = "OSS"
+	addonGitType      = "git"
+	addonGiteeType    = "gitee"
+	addonGitlabType   = "gitlab"
+	addonHelmType     = "helm"
+	addonUsername     = "username"
+	addonPassword     = "password"
+	// only gitlab registry need set this flag
+	addonRepoName            = "gitlabRepoName"
 	addonHelmInsecureSkipTLS = "insecureSkipTLS"
 )

@@ -67,10 +68,12 @@ func NewAddonRegistryCommand(c common.Args, ioStreams cmdutil.IOStreams) *cobra.
 // NewAddAddonRegistryCommand return an addon registry create command
 func NewAddAddonRegistryCommand(c common.Args, ioStreams cmdutil.IOStreams) *cobra.Command {
 	cmd := &cobra.Command{
-		Use:     "add",
-		Short:   "Add an addon registry.",
-		Long:    "Add an addon registry.",
-		Example: `"vela addon registry add <my-registry-name> --type OSS --endpoint=<URL> --bucket=<bukect-name> or vela addon registry add my-repo --type git --endpoint=<URL> --path=<OSS-ptah> --gitToken=<git token>"`,
+		Use:   "add",
+		Short: "Add an addon registry.",
+		Long:  "Add an addon registry.",
+		Example: `add a helm repo registry: vela addon registry add --type=helm my-repo --endpoint=<URL>
+add a github registry: vela addon registry add my-repo --type git --endpoint=<URL> --path=<ptah> --token=<git token>" 
+add a gitlab registry: vela addon registry add my-repo --type gitlab --endpoint=<URL> --gitlabRepoName=<repoName> --path=<path> --token=<git token>`,
 		RunE: func(cmd *cobra.Command, args []string) error {
 			registry, err := getRegistryFromArgs(cmd, args)
 			if err != nil {
@@ -298,6 +301,7 @@ func parseArgsFromFlag(cmd *cobra.Command) {
 	cmd.Flags().StringP(addonGitToken, "", "", "specify the github repo token")
 	cmd.Flags().StringP(addonUsername, "", "", "specify the Helm addon registry username")
 	cmd.Flags().StringP(addonPassword, "", "", "specify the Helm addon registry password")
+	cmd.Flags().StringP(addonRepoName, "", "", "specify the gitlab addon registry repoName")
 	cmd.Flags().BoolP(addonHelmInsecureSkipTLS, "", false,
 		"specify the Helm addon registry skip tls verify")
 }
--- a/references/cli/velaql_test.go
+++ b/references/cli/velaql_test.go
@@ -436,10 +436,10 @@ var _ = Describe("Test velaQL", func() {
 			"https://ingress.domain.path/test",
 			"https://ingress.domain.path/test2",
 			fmt.Sprintf("http://%s:30229", gatewayIP),
-			"http://10.10.10.10:30180",
-			"http://text.example.com:30180",
-			"10.10.10.10:30181",
-			"text.example.com:30181",
+			"http://10.10.10.10",
+			"http://text.example.com",
+			"10.10.10.10:81",
+			"text.example.com:81",
 			// helmRelease
 			fmt.Sprintf("http://%s:30002", gatewayIP),
 			"http://ingress.domain.helm",
Author	SHA1	Message	Date
github-actions[bot]	735075f5a6	[Backport release-1.5] Fix: forbid 302 request to avoid SSRF (#5003 ) * fix helm chart list endpoint SSRF CVE Signed-off-by: 楚岳 <wangyike.wyk@alibaba-inc.com> (cherry picked from commit `8883a6219d`) * revert error log Signed-off-by: 楚岳 <wangyike.wyk@alibaba-inc.com> (cherry picked from commit `e1e6972b17`) * change with const value Signed-off-by: 楚岳 <wangyike.wyk@alibaba-inc.com> fix ci Signed-off-by: 楚岳 <wangyike.wyk@alibaba-inc.com> (cherry picked from commit `fbeacb0a6b`) Co-authored-by: 楚岳 <wangyike.wyk@alibaba-inc.com>	2022-11-04 20:16:53 +08:00
github-actions[bot]	52d1a4364b	fix gitlab addon registry (#4938 ) Signed-off-by: 楚岳 <wangyike.wyk@alibaba-inc.com> (cherry picked from commit `f3ee964734`) Co-authored-by: 楚岳 <wangyike.wyk@alibaba-inc.com>	2022-10-27 22:19:34 +08:00
github-actions[bot]	1b7f9aae65	[Backport release-1.5] Chore: wrong endpoint for LoadBalancer type service(revert #4729 ) (#4906 ) * Chore: wrong endpoint for LoadBalancer type service(revert #4729) Signed-off-by: barnettZQG <barnett.zqg@gmail.com> (cherry picked from commit `92ed75c863`) * Fix: change the unit test Signed-off-by: barnettZQG <barnett.zqg@gmail.com> (cherry picked from commit `7985353e1d`) Co-authored-by: barnettZQG <barnett.zqg@gmail.com>	2022-10-22 13:27:07 +08:00
github-actions[bot]	e94519b788	Chore: change the package name of the readme-generator-for-helm (#4896 ) Signed-off-by: barnettZQG <barnett.zqg@gmail.com> (cherry picked from commit `8b46e6076a`) Co-authored-by: barnettZQG <barnett.zqg@gmail.com>	2022-10-20 16:37:25 +08:00