[Backport release-1.5] Fix: forbid 302 request to avoid SSRF (#5003)

* fix helm chart list endpoint SSRF CVE

Signed-off-by: 楚岳 <wangyike.wyk@alibaba-inc.com>
(cherry picked from commit 8883a6219d)

* revert error log

Signed-off-by: 楚岳 <wangyike.wyk@alibaba-inc.com>
(cherry picked from commit e1e6972b17)

* change with const value

Signed-off-by: 楚岳 <wangyike.wyk@alibaba-inc.com>

fix ci

Signed-off-by: 楚岳 <wangyike.wyk@alibaba-inc.com>
(cherry picked from commit fbeacb0a6b)

Co-authored-by: 楚岳 <wangyike.wyk@alibaba-inc.com>

pkg/utils/common/common.go

@@ -79,9 +79,15 @@ import (
 var (
 	// Scheme defines the default KubeVela schema
 	Scheme = k8sruntime.NewScheme()
+	// forbidRedirectFunc general check func for http redirect response
+	forbidRedirectFunc = func(req *http.Request, via []*http.Request) error {
+		return errors.New("got a redirect response which is forbidden")
+	}
 	//nolint:gosec
 	// insecureHTTPClient insecure http client
-	insecureHTTPClient = &http.Client{Transport: &http.Transport{TLSClientConfig: &tls.Config{InsecureSkipVerify: true}}}
+	insecureHTTPClient = &http.Client{Transport: &http.Transport{TLSClientConfig: &tls.Config{InsecureSkipVerify: true}}, CheckRedirect: forbidRedirectFunc}
+	// forbidRedirectClient is a http client forbid redirect http request
+	forbidRedirectClient = &http.Client{CheckRedirect: forbidRedirectFunc}
 )
 
 const (
@@ -169,7 +175,7 @@ func HTTPGetResponse(ctx context.Context, url string, opts *HTTPOption) (*http.R
 	if err != nil {
 		return nil, err
 	}
-	httpClient := http.DefaultClient
+	httpClient := forbidRedirectClient
 	if opts != nil && len(opts.Username) != 0 && len(opts.Password) != 0 {
 		req.SetBasicAuth(opts.Username, opts.Password)
 	}
@@ -197,7 +203,7 @@ func HTTPGetResponse(ctx context.Context, url string, opts *HTTPOption) (*http.R
 		}
 		tr.TLSClientConfig = tlsConfig
 		defer tr.CloseIdleConnections()
-		httpClient = &http.Client{Transport: &tr}
+		httpClient = &http.Client{Transport: &tr, CheckRedirect: forbidRedirectFunc}
 	}
 	return httpClient.Do(req)
 }

pkg/utils/common/common_test.go

@@ -26,6 +26,7 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
+	"strings"
 	"testing"
 	"time"
 
@@ -223,6 +224,25 @@ func TestHttpGetCaFile(t *testing.T) {
 	}
 }
 
+func TestHttpGetForbidRedirect(t *testing.T) {
+	var ctx = context.Background()
+	testServer := &http.Server{Addr: ":19090"}
+
+	http.HandleFunc("/redirect", func(writer http.ResponseWriter, request *http.Request) {
+		http.Redirect(writer, request, "http://192.168.1.1", http.StatusFound)
+	})
+
+	go func() {
+		err := testServer.ListenAndServe()
+		assert.NoError(t, err)
+	}()
+	time.Sleep(time.Millisecond)
+
+	_, err := HTTPGetWithOption(ctx, "http://127.0.0.1:19090/redirect", nil)
+	assert.Error(t, err)
+	assert.True(t, strings.Contains(err.Error(), "got a redirect response which is forbidden"))
+}
+
 func TestGetCUEParameterValue(t *testing.T) {
 	type want struct {
 		err error

pkg/utils/helm/helm_helper.go

@@ -225,7 +225,7 @@ func (h *Helper) GetIndexInfo(repoURL string, skipCache bool, opts *common.HTTPO
 	}
 	i := &repo.IndexFile{}
 	if err := yaml.UnmarshalStrict(body, i); err != nil {
-		return nil, fmt.Errorf("parse index file from %s failure %w", repoURL, err)
+		return nil, fmt.Errorf("parse index file from %s failure", repoURL)
 	}
 
 	if h.cache != nil {

references/cli/addon-registry.go

@@ -31,19 +31,20 @@ import (
 )
 
 const (
-	addonRegistryType        = "type"
-	addonEndpoint            = "endpoint"
-	addonOssBucket           = "bucket"
-	addonPath                = "path"
-	addonGitToken            = "gitToken"
-	addonOssType             = "OSS"
-	addonGitType             = "git"
-	addonGiteeType           = "gitee"
-	addonGitlabType          = "gitlab"
-	addonHelmType            = "helm"
-	addonUsername            = "username"
-	addonPassword            = "password"
-	addonRepoName            = "repoName"
+	addonRegistryType = "type"
+	addonEndpoint     = "endpoint"
+	addonOssBucket    = "bucket"
+	addonPath         = "path"
+	addonGitToken     = "gitToken"
+	addonOssType      = "OSS"
+	addonGitType      = "git"
+	addonGiteeType    = "gitee"
+	addonGitlabType   = "gitlab"
+	addonHelmType     = "helm"
+	addonUsername     = "username"
+	addonPassword     = "password"
+	// only gitlab registry need set this flag
+	addonRepoName            = "gitlabRepoName"
 	addonHelmInsecureSkipTLS = "insecureSkipTLS"
 )
 
@@ -67,10 +68,12 @@ func NewAddonRegistryCommand(c common.Args, ioStreams cmdutil.IOStreams) *cobra.
 // NewAddAddonRegistryCommand return an addon registry create command
 func NewAddAddonRegistryCommand(c common.Args, ioStreams cmdutil.IOStreams) *cobra.Command {
 	cmd := &cobra.Command{
-		Use:     "add",
-		Short:   "Add an addon registry.",
-		Long:    "Add an addon registry.",
-		Example: `"vela addon registry add <my-registry-name> --type OSS --endpoint=<URL> --bucket=<bukect-name> or vela addon registry add my-repo --type git --endpoint=<URL> --path=<OSS-ptah> --gitToken=<git token>"`,
+		Use:   "add",
+		Short: "Add an addon registry.",
+		Long:  "Add an addon registry.",
+		Example: `add a helm repo registry: vela addon registry add --type=helm my-repo --endpoint=<URL>
+add a github registry: vela addon registry add my-repo --type git --endpoint=<URL> --path=<ptah> --token=<git token>" 
+add a gitlab registry: vela addon registry add my-repo --type gitlab --endpoint=<URL> --gitlabRepoName=<repoName> --path=<path> --token=<git token>`,
 		RunE: func(cmd *cobra.Command, args []string) error {
 			registry, err := getRegistryFromArgs(cmd, args)
 			if err != nil {
@@ -298,6 +301,7 @@ func parseArgsFromFlag(cmd *cobra.Command) {
 	cmd.Flags().StringP(addonGitToken, "", "", "specify the github repo token")
 	cmd.Flags().StringP(addonUsername, "", "", "specify the Helm addon registry username")
 	cmd.Flags().StringP(addonPassword, "", "", "specify the Helm addon registry password")
+	cmd.Flags().StringP(addonRepoName, "", "", "specify the gitlab addon registry repoName")
 	cmd.Flags().BoolP(addonHelmInsecureSkipTLS, "", false,
 		"specify the Helm addon registry skip tls verify")
 }