Skip to content

Commit

Permalink
Merge pull request #17070 from ivanvc/release-3.5-backport-ssrf
Browse files Browse the repository at this point in the history 
Backport disable redirects in peer communication to release-3.5
  • Loading branch information
@ahrtr
ahrtr authored Dec 6, 2023
2 parents ce4ae2b + 98aa466 commit 7df2e90
Show file tree
Hide file tree
Showing 3 changed files with 30 additions and 4 deletions.
13 changes: 12 additions & 1 deletion server/etcdserver/cluster_util.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,9 @@ func getClusterFromRemotePeers(lg *zap.Logger, urls []string, timeout time.Durat
cc := &http.Client{
Transport: rt,
Timeout: timeout,
CheckRedirect: func(req *http.Request, via []*http.Request) error {
return http.ErrUseLastResponse
},
}
for _, u := range urls {
addr := u + "/members"
Expand Down Expand Up @@ -324,7 +327,12 @@ func getVersion(lg *zap.Logger, m *membership.Member, rt http.RoundTripper) (*ve
}

func promoteMemberHTTP(ctx context.Context, url string, id uint64, peerRt http.RoundTripper) ([]*membership.Member, error) {
cc := &http.Client{Transport: peerRt}
cc := &http.Client{
Transport: peerRt,
CheckRedirect: func(req *http.Request, via []*http.Request) error {
return http.ErrUseLastResponse
},
}
// TODO: refactor member http handler code
// cannot import etcdhttp, so manually construct url
requestUrl := url + "/members/promote/" + fmt.Sprintf("%d", id)
Expand Down Expand Up @@ -396,6 +404,9 @@ func getDowngradeEnabledFromRemotePeers(lg *zap.Logger, cl *membership.RaftClust
func getDowngradeEnabled(lg *zap.Logger, m *membership.Member, rt http.RoundTripper) (bool, error) {
cc := &http.Client{
Transport: rt,
CheckRedirect: func(req *http.Request, via []*http.Request) error {
return http.ErrUseLastResponse
},
}
var (
err error
Expand Down
7 changes: 6 additions & 1 deletion server/etcdserver/corrupt.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -390,7 +390,12 @@ func (s *EtcdServer) getPeerHashKVs(rev int64) []*peerHashKVResp {

lg := s.Logger()

cc := &http.Client{Transport: s.peerRt}
cc := &http.Client{
Transport: s.peerRt,
CheckRedirect: func(req *http.Request, via []*http.Request) error {
return http.ErrUseLastResponse
},
}
var resps []*peerHashKVResp
for _, p := range peers {
if len(p.eps) == 0 {
Expand Down
14 changes: 12 additions & 2 deletions server/lease/leasehttp/http.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -150,7 +150,12 @@ func RenewHTTP(ctx context.Context, id lease.LeaseID, url string, rt http.RoundT
return -1, err
}

cc := &http.Client{Transport: rt}
cc := &http.Client{
Transport: rt,
CheckRedirect: func(req *http.Request, via []*http.Request) error {
return http.ErrUseLastResponse
},
}
req, err := http.NewRequest("POST", url, bytes.NewReader(lreq))
if err != nil {
return -1, err
Expand Down Expand Up @@ -210,7 +215,12 @@ func TimeToLiveHTTP(ctx context.Context, id lease.LeaseID, keys bool, url string

req = req.WithContext(ctx)

cc := &http.Client{Transport: rt}
cc := &http.Client{
Transport: rt,
CheckRedirect: func(req *http.Request, via []*http.Request) error {
return http.ErrUseLastResponse
},
}
var b []byte
// buffer errc channel so that errc don't block inside the go routinue
resp, err := cc.Do(req)
Expand Down

0 comments on commit 7df2e90

Please sign in to comment.