Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1993002

Summary: The "largestMaxAge" and "smallestMaxAge" in "maxAge" option for HSTS headers accepts negative values
Product: OpenShift Container Platform Reporter: Arvind iyengar <aiyengar>
Component: NetworkingAssignee: Candace Holman <cholman>
Networking sub component: router QA Contact: Arvind iyengar <aiyengar>
Status: CLOSED ERRATA Docs Contact:
Severity: medium    
Priority: high CC: aos-bugs, mmasters
Version: 4.9   
Target Milestone: ---   
Target Release: 4.9.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-18 17:46:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Arvind iyengar 2021-08-12 08:48:32 UTC 
Description of problem:
The "largestMaxAge" and "smallestMaxAge" in "maxAge" option for HSTS headers accept negative values and these values appear to be used for evaluation during header validation. 

OpenShift release version:
4.9.0-0.nightly-2021-08-07-175228

How reproducible:
Frequently

Steps to Reproduce (in detail):
1. Configure the cluster ingresses resource with hsts validation option and define the negative values for the said parameters for the "maxAge" header check:
-----
  domain: apps.aiyengar4911.qe.devcluster.openshift.com
  requiredHSTSPolicies:
  - domainPatterns:
    - '*.internalapps.aiyengar4911.qe.devcluster.openshift.com'
    includeSubDomainsPolicy: RequireIncludeSubDomains
    maxAge:
      largestMaxAge: -100
      smallestMaxAge: -100
    preloadPolicy: RequirePreload

-----

2. Try changing the hsts header aging value for a route:



Actual results:

Before changing the aging:
curl -Ik https://service-unsecure-test1.internalapps.aiyengar4911.qe.devcluster.openshift.com       
HTTP/1.1 200 OK
server: nginx/1.18.0
date: Thu, 12 Aug 2021 08:04:24 GMT
content-type: text/html
content-length: 46
last-modified: Wed, 11 Aug 2021 11:19:04 GMT
etag: "6113b228-2e"
accept-ranges: bytes
strict-transport-security: max-age=200;includeSubDomains;preload
set-cookie: 6b61b6eae6a7fcb9c100e4c96e0d6f2e=32f7b665c295eaefff4cb940a9fbe602; path=/; HttpOnly; Secure; SameSite=None
cache-control: private

Trying to change the value ends with below error:

oc annotate route edge-route2 haproxy.router.openshift.io/hsts_header='max-age=300;includeSubDomains;preload' --overwrite
Error from server (Forbidden): routes.route.openshift.io "edge-route2" is forbidden: is greater than maximum age (-100)


Expected results:
As the feature proposal states, the minimum value for these parameters is "0", I believe the negative value should be discarded 


Impact of the problem:
Though the user/admins may not input negative values for this option deliberately, there is a chance of human error where they may get applied accidentally which can cause further issues with the header validation process of the routes
Comment 5 Arvind iyengar 2021-08-24 04:19:06 UTC 
Verified in "4.9.0-0.nightly-2021-08-23-192406" release version. With this payload, it is observed that the negative values for the "maxage" options are properly being rejected when the attempts are made:
------
oc get clusterversion                          
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.9.0-0.nightly-2021-08-23-192406   True        False         41m     Cluster version is 4.9.0-0.nightly-2021-08-23-192406


Attempt to set the timer options to negative results in an error:
  requiredHSTSPolicies:
  - domainPatterns:
    - '*.internalapps.aiyengar49bz.qe.devcluster.openshift.com'
    includeSubDomainsPolicy: NoOpinion
    maxAge:
      largestMaxAge: -30000
      smallestMaxAge: -1
    preloadPolicy: NoOpinion

# ingresses.config.openshift.io "cluster" was not valid:
# * spec.requiredHSTSPolicies.maxAge.largestMaxAge: Invalid value: -30000: spec.requiredHSTSPolicies.maxAge.largestMaxAge in body should be greater than or equal to 0
# * spec.requiredHSTSPolicies.maxAge.smallestMaxAge: Invalid value: -1: spec.requiredHSTSPolicies.maxAge.smallestMaxAge in body should be greater than or equal to 0
#
------
Comment 8 errata-xmlrpc 2021-10-18 17:46:09 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:3759