Description of problem: The "largestMaxAge" and "smallestMaxAge" in "maxAge" option for HSTS headers accept negative values and these values appear to be used for evaluation during header validation. OpenShift release version: 4.9.0-0.nightly-2021-08-07-175228 How reproducible: Frequently Steps to Reproduce (in detail): 1. Configure the cluster ingresses resource with hsts validation option and define the negative values for the said parameters for the "maxAge" header check: ----- domain: apps.aiyengar4911.qe.devcluster.openshift.com requiredHSTSPolicies: - domainPatterns: - '*.internalapps.aiyengar4911.qe.devcluster.openshift.com' includeSubDomainsPolicy: RequireIncludeSubDomains maxAge: largestMaxAge: -100 smallestMaxAge: -100 preloadPolicy: RequirePreload ----- 2. Try changing the hsts header aging value for a route: Actual results: Before changing the aging: curl -Ik https://service-unsecure-test1.internalapps.aiyengar4911.qe.devcluster.openshift.com HTTP/1.1 200 OK server: nginx/1.18.0 date: Thu, 12 Aug 2021 08:04:24 GMT content-type: text/html content-length: 46 last-modified: Wed, 11 Aug 2021 11:19:04 GMT etag: "6113b228-2e" accept-ranges: bytes strict-transport-security: max-age=200;includeSubDomains;preload set-cookie: 6b61b6eae6a7fcb9c100e4c96e0d6f2e=32f7b665c295eaefff4cb940a9fbe602; path=/; HttpOnly; Secure; SameSite=None cache-control: private Trying to change the value ends with below error: oc annotate route edge-route2 haproxy.router.openshift.io/hsts_header='max-age=300;includeSubDomains;preload' --overwrite Error from server (Forbidden): routes.route.openshift.io "edge-route2" is forbidden: is greater than maximum age (-100) Expected results: As the feature proposal states, the minimum value for these parameters is "0", I believe the negative value should be discarded Impact of the problem: Though the user/admins may not input negative values for this option deliberately, there is a chance of human error where they may get applied accidentally which can cause further issues with the header validation process of the routes
Verified in "4.9.0-0.nightly-2021-08-23-192406" release version. With this payload, it is observed that the negative values for the "maxage" options are properly being rejected when the attempts are made: ------ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.9.0-0.nightly-2021-08-23-192406 True False 41m Cluster version is 4.9.0-0.nightly-2021-08-23-192406 Attempt to set the timer options to negative results in an error: requiredHSTSPolicies: - domainPatterns: - '*.internalapps.aiyengar49bz.qe.devcluster.openshift.com' includeSubDomainsPolicy: NoOpinion maxAge: largestMaxAge: -30000 smallestMaxAge: -1 preloadPolicy: NoOpinion # ingresses.config.openshift.io "cluster" was not valid: # * spec.requiredHSTSPolicies.maxAge.largestMaxAge: Invalid value: -30000: spec.requiredHSTSPolicies.maxAge.largestMaxAge in body should be greater than or equal to 0 # * spec.requiredHSTSPolicies.maxAge.smallestMaxAge: Invalid value: -1: spec.requiredHSTSPolicies.maxAge.smallestMaxAge in body should be greater than or equal to 0 # ------
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:3759