CORS configuration from annotation fails penetration test · kubernetes/ingress-nginx#12230

(7 comments) (0 reactions) (0 assignees)Go (15,199 stars) (7,888 forks)batch import

help wantedkind/supportneeds-priorityneeds-triage

説明

What happened: When adding the CORS annotation for thee allowed origin:

nginx.ingress.kubernetes.io/cors-allow-headers: DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization,X-Api-Key,Powered-By,Content-Encoding,Auto-Refresh
nginx.ingress.kubernetes.io/cors-allow-origin: https://mydomain.com
nginx.ingress.kubernetes.io/enable-cors: 'true'

the generated configuration looks like this:

if ($http_origin ~* ((https://mydomain\.com))$ ) { set $cors 'true'; }

This configuration limits the setting of $cors to true only for requests with origin matching https://mydomain.com and it does not enforce CORS setting for all the other requests. For this reason penetration tests for the CORS settings fails because don't satisfy basic requirements for CORS enforcement (see https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/07-Testing_Cross_Origin_Resource_Sharing)

What you expected to happen: You would expect that when enabled by the annotation the CORS settings are applied according to standards, and specifically the if statement before mentioned should instead be removed forcing the allowed origin to be set as specified by the annotation.

The template engine should be modified to rectify this vulnerability.

NGINX Ingress controller version (exec into the pod and run nginx-ingress-controller --version.): registry.k8s.io/ingress-nginx/controller:v1.9.4@sha256:5b161f051d017e55d358435f295f5e9a297e66158f136321d9b04520ec6c48a3

Kubernetes version (use kubectl version): 1.27.10

Environment:

Cloud provider or hardware configuration: Oracle Cloud
OS (e.g. from /etc/os-release):NAME= "Alpine Linux" ID=alpine VERSION_ID=3.18.4 PRETTY_NAME="Alpine Linux v3.18" HOME_URL="https://alpinelinux.org/" BUG_REPORT_URL="https://gitlab.alpinelinux.org/alpine/aports/-/issues"
Kernel (e.g. uname -a): Linux ingress-nginx-controller-cdcb6469d-j4t9f 5.15.0-206.153.7.el8uek.x86_64 #2 SMP Thu May 9 15:52:29 PDT 2024 x86_64 Linux
Others: This should be the part of the code that generates the issue: https://github.com/kubernetes/ingress-nginx/blob/dc3acbd7864816c464f3536f433aaabd3ea9a37e/internal/ingress/controller/template/template.go#L1686

How to reproduce this issue: Just set the following annotations to an ingress and check the resulting nginx.conf generated:

nginx.ingress.kubernetes.io/cors-allow-origin: https://mydomain.com
nginx.ingress.kubernetes.io/enable-cors: 'true

Anything else we need to know: OWASP documentation: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/07-Testing_Cross_Origin_Resource_Sharing CORS configuration reference example: https://enable-cors.org/server_nginx.html

コントリビューターガイド

技術スタック: gokubernetesdocker
領域: backendinfrastructuresecurity
Issue 種別: bug
難度: 3
推定時間: half day
活動状況: fresh
明確さ: mostly clear
前提条件: GoKubernetesnginx template syntaxCORS
初心者向け度: 60
調査方針: Start by examining the template code at internal/ingress/controller/template/template.go around line 1686 to understand the current CORS logic. The issue is that the generated nginx config uses an if statement that only sets $cors to true for matching origins, but does not enforce CORS headers for non matching origins. Modify the template to ensure that when enable cors is true, the allowed origin is set directly without a conditional, following the OWASP CORS guidelines. Also check the existing tests for CORS and add a test case that verifies proper CORS headers are returned for both matching and non matching origins.