1482903 – [DOCS] vague behavior of a "corsAllowedOrigins" parameter in a "master-config.yaml" configuration file

Bug 1482903 - [DOCS] vague behavior of a "corsAllowedOrigins" parameter in a "master-config.yaml" configuration file

Summary: [DOCS] vague behavior of a "corsAllowedOrigins" parameter in a "master-config...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Documentation
Sub Component:
Version:	3.4.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Ashley Hardin
QA Contact:	Johnny Liu
Docs Contact:	Vikram Goyal
URL:
Whiteboard:	3.10-release-plan
Depends On:
Blocks:	1512708
TreeView+	depends on / blocked

Reported:	2017-08-18 11:13 UTC by Alexander Zagaynov
Modified:	2021-03-11 15:37 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1512708 (view as bug list)
Environment:
Last Closed:	2018-04-11 21:15:49 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Alexander Zagaynov 2017-08-18 11:13:53 UTC

Description of problem:

"corsAllowedOrigins" parameter in a "master-config.yaml" configuration file behavior is either not documented well or leads to a possible security leak.
It is possible to set it to "something" and both "something" and "something.hostile.com" in an "Origin:" HTTP header will be matched as valid.
It is also possible to set it to "127.0.0.1" and "127a0b0c1" will be matched as valid.

Version-Release number of selected component (if applicable):

- not applicable

How reproducible:

- see description above

Steps to Reproduce:

- see description above

Actual results:

- see description above

Expected results:

- see description above

Additional info:

https://github.com/openshift/origin/blob/master/vendor/github.com/emicklei/go-restful/cors_filter.go#L195
https://github.com/openshift/origin/blob/master/vendor/github.com/emicklei/go-restful/cors_filter.go#L145
https://github.com/kubernetes/apiserver/blob/master/pkg/server/filters/cors.go#L91
https://github.com/kubernetes/apiserver/blob/master/pkg/server/filters/cors.go#L46
https://golang.org/pkg/regexp/#Compile

Comment 1 Jordan Liggitt 2017-08-19 01:12:38 UTC

Correct. It is a regular expression, fully under the control of the config field (i.e. no pinning or escaping is done to the value)

We can update documentation to make that clearer

Comment 2 Alexander Zagaynov 2017-08-30 11:55:31 UTC

I've added a PR to `openshift-ansible` repo about that: https://github.com/openshift/openshift-ansible/pull/5264

Comment 4 Jordan Liggitt 2018-04-06 20:29:18 UTC

added comment in issue

Comment 5 Johnny Liu 2018-04-09 11:12:31 UTC

LGTM.

Comment 6 Ashley Hardin 2018-04-11 21:15:49 UTC

Content is now published:
https://access.redhat.com/documentation/en-us/openshift_container_platform/3.9/html/architecture/infrastructure-components#architecture-infrastructure-components-web-console

Note You need to log in before you can comment on or make changes to this bug.