Skip to content

Commit

Permalink
Limit redirect proxy handling to redirected responses
Browse files Browse the repository at this point in the history 
Kubernetes-commit: 1dae41c3609a35ec77c861e3663e4a6971ff94a6
  • Loading branch information
@liggitt @k8s-publishing-bot
liggitt authored and k8s-publishing-bot committed Sep 17, 2022
1 parent 8252641 commit 14bc1be
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 1 deletion.
2 changes: 1 addition & 1 deletion pkg/util/proxy/upgradeaware.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -263,7 +263,7 @@ func (h *UpgradeAwareHandler) ServeHTTP(w http.ResponseWriter, req *http.Request
oldModifyResponse := proxy.ModifyResponse
proxy.ModifyResponse = func(response *http.Response) error {
code := response.StatusCode
if code >= 300 && code <= 399 {
if code >= 300 && code <= 399 && len(response.Header.Get("Location")) > 0 {
// close the original response
response.Body.Close()
msg := "the backend attempted to redirect this request, which is not permitted"
Expand Down
21 changes: 21 additions & 0 deletions pkg/util/proxy/upgradeaware_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -710,6 +710,7 @@ func TestRejectForwardingRedirectsOption(t *testing.T) {
name string
rejectForwardingRedirects bool
serverStatusCode int
redirect string
expectStatusCode int
expectBody []byte
}{
Expand All @@ -724,9 +725,25 @@ func TestRejectForwardingRedirectsOption(t *testing.T) {
name: "reject redirection enabled in proxy, backend server sending 301 response",
rejectForwardingRedirects: true,
serverStatusCode: 301,
redirect: "/",
expectStatusCode: 502,
expectBody: []byte(`the backend attempted to redirect this request, which is not permitted`),
},
{
name: "reject redirection enabled in proxy, backend server sending 304 response with a location header",
rejectForwardingRedirects: true,
serverStatusCode: 304,
redirect: "/",
expectStatusCode: 502,
expectBody: []byte(`the backend attempted to redirect this request, which is not permitted`),
},
{
name: "reject redirection enabled in proxy, backend server sending 304 response with no location header",
rejectForwardingRedirects: true,
serverStatusCode: 304,
expectStatusCode: 304,
expectBody: []byte{}, // client doesn't read the body for 304 responses
},
{
name: "reject redirection disabled in proxy, backend server sending 200 response",
rejectForwardingRedirects: false,
Expand All @@ -738,6 +755,7 @@ func TestRejectForwardingRedirectsOption(t *testing.T) {
name: "reject redirection disabled in proxy, backend server sending 301 response",
rejectForwardingRedirects: false,
serverStatusCode: 301,
redirect: "/",
expectStatusCode: 301,
expectBody: originalBody,
},
Expand All @@ -746,6 +764,9 @@ func TestRejectForwardingRedirectsOption(t *testing.T) {
t.Run(tc.name, func(t *testing.T) {
// Set up a backend server
backendServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if tc.redirect != "" {
w.Header().Set("Location", tc.redirect)
}
w.WriteHeader(tc.serverStatusCode)
w.Write(originalBody)
}))
Expand Down

0 comments on commit 14bc1be

Please sign in to comment.