kubernetes
/
ingress-nginx
mirror of https://github.com/kubernetes/ingress-nginx.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Security: Harden socket creation and validate error code input. (#13765)

This commit is contained in:
Michael 2025-08-16 21:54:57 +01:00 committed by GitHub
parent 4c87d58a2d
commit cca7690f31
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 18 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
internal/ingress/annotations/customhttperrors/main.go
View File

@ -17,6 +17,7 @@ limitations under the License.
package customhttperrors package customhttperrors
import ( import (
"fmt"
"regexp" "regexp"
"strconv" "strconv"
"strings" "strings"
@ -72,10 +73,17 @@ func (e customhttperrors) Parse(ing *networking.Ingress) (interface{}, error) {
cSplit := strings.Split(c, ",") cSplit := strings.Split(c, ",")
codes := make([]int, 0, len(cSplit)) codes := make([]int, 0, len(cSplit))
for _, i := range cSplit { for _, i := range cSplit {
num, err := strconv.Atoi(i) // Trim whitespace to handle "404, 500" format
if err != nil { trimmed := strings.TrimSpace(i)
return nil, err if trimmed == "" {
continue
} }
num, err := strconv.Atoi(trimmed)
if err != nil {
return nil, fmt.Errorf("invalid HTTP status code %q: %w", trimmed, err)
}
codes = append(codes, num) codes = append(codes, num)
} }

8
internal/ingress/metric/collectors/socket.go
View File

@ -102,6 +102,12 @@ var requestTags = []string{
// the ingress watch namespace and class used by the controller // the ingress watch namespace and class used by the controller
func NewSocketCollector(pod, namespace, class string, metricsPerHost, metricsPerUndefinedHost, reportStatusClasses bool, buckets HistogramBuckets, bucketFactor float64, maxBuckets uint32, excludeMetrics []string) (*SocketCollector, error) { func NewSocketCollector(pod, namespace, class string, metricsPerHost, metricsPerUndefinedHost, reportStatusClasses bool, buckets HistogramBuckets, bucketFactor float64, maxBuckets uint32, excludeMetrics []string) (*SocketCollector, error) {
socket := "/tmp/nginx/prometheus-nginx.socket" socket := "/tmp/nginx/prometheus-nginx.socket"
// Ensure the directory exists
if err := os.MkdirAll("/tmp/nginx", 0o755); err != nil {
return nil, fmt.Errorf("failed to create socket directory: %w", err)
}
// unix sockets must be unlink()ed before being used // unix sockets must be unlink()ed before being used
//nolint:errcheck // Ignore unlink error //nolint:errcheck // Ignore unlink error
_ = syscall.Unlink(socket) _ = syscall.Unlink(socket)
@ -111,7 +117,7 @@ func NewSocketCollector(pod, namespace, class string, metricsPerHost, metricsPer
return nil, err return nil, err
} }
err = os.Chmod(socket, 0o777) // #nosec err = os.Chmod(socket, 0o660) // Read/write for owner and group only - more secure than 0o777
if err != nil { if err != nil {
return nil, err return nil, err
} }