Security: Harden socket creation and validate error code input. (#13765)

internal/ingress/annotations/customhttperrors/main.go

@@ -17,6 +17,7 @@ limitations under the License.
 package customhttperrors
 
 import (
+	"fmt"
 	"regexp"
 	"strconv"
 	"strings"
@@ -72,10 +73,17 @@ func (e customhttperrors) Parse(ing *networking.Ingress) (interface{}, error) {
 	cSplit := strings.Split(c, ",")
 	codes := make([]int, 0, len(cSplit))
 	for _, i := range cSplit {
-		num, err := strconv.Atoi(i)
-		if err != nil {
-			return nil, err
+		// Trim whitespace to handle "404, 500" format
+		trimmed := strings.TrimSpace(i)
+		if trimmed == "" {
+			continue
 		}
+
+		num, err := strconv.Atoi(trimmed)
+		if err != nil {
+			return nil, fmt.Errorf("invalid HTTP status code %q: %w", trimmed, err)
+		}
+
 		codes = append(codes, num)
 	}
 

internal/ingress/metric/collectors/socket.go

@@ -102,6 +102,12 @@ var requestTags = []string{
 // the ingress watch namespace and class used by the controller
 func NewSocketCollector(pod, namespace, class string, metricsPerHost, metricsPerUndefinedHost, reportStatusClasses bool, buckets HistogramBuckets, bucketFactor float64, maxBuckets uint32, excludeMetrics []string) (*SocketCollector, error) {
 	socket := "/tmp/nginx/prometheus-nginx.socket"
+
+	// Ensure the directory exists
+	if err := os.MkdirAll("/tmp/nginx", 0o755); err != nil {
+		return nil, fmt.Errorf("failed to create socket directory: %w", err)
+	}
+
 	// unix sockets must be unlink()ed before being used
 	//nolint:errcheck // Ignore unlink error
 	_ = syscall.Unlink(socket)
@@ -111,7 +117,7 @@ func NewSocketCollector(pod, namespace, class string, metricsPerHost, metricsPer
 		return nil, err
 	}
 
-	err = os.Chmod(socket, 0o777) // #nosec
+	err = os.Chmod(socket, 0o660) // Read/write for owner and group only - more secure than 0o777
 	if err != nil {
 		return nil, err
 	}