Commit Graph

10 Commits (8ed55e72b85b0807c97d3d1d7d12e9f07c9737e9)

Author SHA1 Message Date
Jamie Strandboge 2c930fd127
feat: add --hardening-enabled option to limit flux/pkger HTTP requests (#23207)
Flux HTTP and template fetching requests do not perform IP address
checks for local addresses. This behavior on the one hand allows SSRF
(Server Side Request Forgery) attacks via authenticated requests but on
the other hand is useful for scenarios that have legitimate requirements
to fetch from private addresses (eg, hosting templates internally or
performing flux queries to local resources during development).

To not break existing installations, the default behavior will remain
the same but a new --hardening-enabled option is added to influxd to
turn on IP address verification and limit both flux and template
fetching HTTP requests to non-private addresses. We plan to enable new
security features that aren't suitable for the default install with this
option.  Put another way, this new option is intended to be used to make
it easy to turn on all security options when running in production
environments. The 'Manage security and authorization' section of the
docs will also be updated for this option.

Specifically for flux, when --hardening-enabled is specified, we now
pass in PrivateIPValidator{} to the flux dependency configuration. The
flux url validator will then tap into the http.Client 'Control'
mechanism to validate the IP address since it is called after DNS lookup
but before the connection starts.

For pkger (template fetching), when --hardening-enabled is specified,
the template parser's HTTP client will be configured to also use
PrivateIPValidator{}. Note that /api/v2/stacks POST ('init', aka create)
and PATCH ('update') only store the new url to be applied later with
/api/v2/templates/apply. While it is possible to have InitStack() and
UpdateStack() mimic net.DialContext() to setup a go routine to perform a
DNS lookup and then loop through the returned addresses to verify none
are for a private IP before storing the url, this would add considerable
complexity to the stacks implementation. Since the stack's urls are
fetched when it is applied and the IP address is verified as part of
apply (see above), for now we'll keep this simple and not validate the
IPs of the stack's urls during init or update.

Lastly, update pkger/http_server_template_test.go's Templates() test for
disabled jsonnet to also check the contents of the 422 error (since the
flux validator also returns a 422 with different message). Also, fix the
URL in one of these tests to use a valid path.
2022-03-18 10:25:31 -04:00
Dane Strandboge 0bd28f66bc
fix: update 422 dry-run response to conform to API spec (#23121) 2022-02-11 16:28:49 -06:00
William Baker 11c00813f1
fix(templates): disable use of jsonnet with `/api/v2/templates/apply` (#23030) 2021-12-30 12:55:45 -05:00
Sam Arnold 5015297d40
fix: more expressive errors (#22448)
* fix: more expressive errors

Closes #22446

* fix: server only logging for untyped errors

* chore: fix formatting
2021-09-13 15:12:35 -04:00
Daniel Moran 00afd95cb7
refactor: automated move of errors and id from root to kit (#21101)
Co-authored-by: Sam Arnold <sarnold@influxdata.com>
2021-03-30 14:10:02 -04:00
Johnny Steenbergen 211e16dd7c chore(pkger): axe deprecated fields 2020-07-30 17:25:58 -07:00
Johnny Steenbergen d768132aaa feat(pkger): make envRef default values support more types
references: #18237
2020-07-28 12:22:46 -07:00
Johnny Steenbergen 44bd37c1a0 chore(pkger): ensure all diff and summary resource collections are non null 2020-07-06 10:51:20 -07:00
Johnny Steenbergen b9e6744807 chore(pkger): finalize adoption of templates naming convention
closes: #18580
2020-06-30 16:33:45 -07:00
Johnny Steenbergen 2927f0e718 feat(pkger): add stable HTTP APIs for stacks and templates
references: #18580
2020-06-29 13:45:32 -07:00