Skip to content

fix: drop path normalization to MERGE_SLASHES to allow apps to handle encoded slashes#330

Merged
mjnagel merged 16 commits intomainfrom
288-allow-configure-decode-slashes
Apr 11, 2024
Merged

fix: drop path normalization to MERGE_SLASHES to allow apps to handle encoded slashes#330
mjnagel merged 16 commits intomainfrom
288-allow-configure-decode-slashes

Conversation

@Racer159
Copy link
Copy Markdown
Contributor

@Racer159 Racer159 commented Apr 5, 2024
edited
Loading

Description

PR to address DECODE_AND_MERGE_SLASHES causing issues in certain applications. Gives the ability to selectively turn this off in a namespace with the UDSPackage CR.

Related Issue

Fixes #288

Type of change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Other (security config, docs update, etc)

Checklist before merging

@Racer159 Racer159 changed the title feat: add configurable encoded slash handling behavior to s feat: add configurable encoded slash handling behavior to UDSPackages Apr 5, 2024
@Racer159 Racer159 changed the title feat: add configurable encoded slash handling behavior to UDSPackages feat: add configurable encoded slash handling behavior to UDSPackage Apr 5, 2024
@Racer159
Copy link
Copy Markdown
Contributor Author

Racer159 commented Apr 5, 2024

Post changes with retain slashes set to true:
image
Pre changes (and without retain slashes):
image

(Decided to leave path normalization on except for decoding slashes since it shouldn't really hurt anything - I don't know of any apps that expect double slashes or other weird slash configs)

Racer159
Racer159 commented Apr 5, 2024
View reviewed changes
@Racer159 Racer159 marked this pull request as ready for review April 5, 2024 17:24
@Racer159 Racer159 requested a review from a team as a code owner April 5, 2024 17:24
jeff-mccoy
jeff-mccoy previously requested changes Apr 6, 2024
View reviewed changes
Copy link
Copy Markdown
Member

@jeff-mccoy jeff-mccoy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Holding this one hostage until we discuss further, I really don't think we should do this and would rather remove the Istio Path Normalization than add all this complexity.

@Racer159
Copy link
Copy Markdown
Contributor Author

Racer159 commented Apr 7, 2024

Holding this one hostage until we discuss further, I really don't think we should do this and would rather remove the Istio Path Normalization than add all this complexity.

Yep got no problem with that, was fun learning more about Istio anyway 😅

@bburky
Copy link
Copy Markdown
Member

bburky commented Apr 8, 2024
edited
Loading

@jeff-mccoy

Holding this one hostage until we discuss further, I really don't think we should do this and would rather remove the Istio Path Normalization than add all this complexity.

Ok.

We'll likely be unable to use path-based AuthorizationPolices with any confidence across all of UDS without careful review of each app individually. I would have liked to have had the ability to use AuthorizationPolices to apply CVE mitigations on UDS apps, see #288 (comment) for more context. In theory we can still do this, but we'll have to review each app's URL decoding implementation before doing so.

For Keycloak specifically, MERGE_SLASHES seems to be sufficient. I did some light manual testing, and //admin is still blocked (redirected) with MERGE_SLASHES, /%2fadmin is now a keycloak error (good, not allowed through). A cursory review of the source code (in vertx via quarkus via keycloak), suggests only alpha, didgit, hyphen, period, underscore and tilde characters are URL decoded:
https://github.com/eclipse-vertx/vert.x/blob/5832acf2fb22ed0301c396d4c3a7c316005e2939/src/main/java/io/vertx/core/http/impl/HttpUtils.java#L317-L329

At least MERGE_SLASHES level of normalization is required if we use path-based AuthorizationPolicies on Keycloak, because Keycloak merges // into / (example: //admin is a valid URL). This is because Keycloak implements this non-standard (but common, as they note) normalization:
https://github.com/eclipse-vertx/vert.x/blob/5832acf2fb22ed0301c396d4c3a7c316005e2939/src/main/java/io/vertx/core/http/impl/HttpUtils.java#L390-L393

@Racer159 Racer159 changed the title feat: add configurable encoded slash handling behavior to UDSPackage fix: drop path normalization to MERGE_SLASHES to allow apps to handle encoded slashes Apr 8, 2024
@Racer159 Racer159 requested a review from jeff-mccoy April 8, 2024 18:08
mjnagel
mjnagel approved these changes Apr 10, 2024
View reviewed changes
Copy link
Copy Markdown
Contributor

@mjnagel mjnagel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Thanks for the fix here!

@mjnagel mjnagel dismissed jeff-mccoy’s stale review April 10, 2024 21:51

Dismissing this as the target change pivoted from the original envoyfilter approach.

@mjnagel mjnagel merged commit 26e965f into main Apr 11, 2024
@mjnagel mjnagel deleted the 288-allow-configure-decode-slashes branch April 11, 2024 13:56
@github-actions github-actions bot mentioned this pull request Apr 11, 2024
Merged
mjnagel pushed a commit that referenced this pull request Apr 12, 2024
@github-actions
chore(main): release 0.19.0 (#320)
4ce502b 
🤖 I have created a release *beep* *boop*
---


##
[0.19.0](v0.18.0...v0.19.0)
(2024-04-12)


### Features

* add nightly testing eks
([#250](#250))
([543b09d](543b09d))


### Bug Fixes

* drop path normalization to MERGE_SLASHES to allow apps to handle
encoded slashes
([#330](#330))
([26e965f](26e965f))
* loki bucket configuration service_account and namespace
([#332](#332))
([9518634](9518634))


### Miscellaneous

* **deps:** update grafana
([#257](#257))
([c98e566](c98e566))
* **deps:** update metrics-server
([#298](#298))
([691fd87](691fd87))
* **deps:** update pepr
([#324](#324))
([2ef0f96](2ef0f96))
* **deps:** update pepr to v0.28.7
([#321](#321))
([e7206bb](e7206bb))
* **deps:** update promtail
([#74](#74))
([6a112b5](6a112b5))
* **deps:** update zarf to v0.32.6
([#282](#282))
([443426d](443426d))
* **deps:** update zarf to v0.33.0
([#325](#325))
([f2a2a66](f2a2a66))
* update codeowners
([#338](#338))
([c419574](c419574))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
rjferguson21 pushed a commit that referenced this pull request Jul 11, 2024
@Racer159 @mjnagel
fix: drop path normalization to MERGE_SLASHES to allow apps to handle…
c5d7ada 
… encoded slashes (#330)

## Description

PR to address `DECODE_AND_MERGE_SLASHES` causing issues in certain
applications. Gives the ability to selectively turn this off in a
namespace with the `UDSPackage` CR.

## Related Issue

Fixes #288

## Type of change

- [ ] Bug fix (non-breaking change which fixes an issue)
- [X] New feature (non-breaking change which adds functionality)
- [ ] Other (security config, docs update, etc)

## Checklist before merging

- [x] Test, docs, adr added or updated as needed
- [X] [Contributor Guide
Steps](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md)(https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md#submitting-a-pull-request)
followed

---------

Co-authored-by: Micah Nagel <micah.nagel@defenseunicorns.com>
rjferguson21 pushed a commit that referenced this pull request Jul 11, 2024
@github-actions
chore(main): release 0.19.0 (#320)
1ee953f 
🤖 I have created a release *beep* *boop*
---


##
[0.19.0](v0.18.0...v0.19.0)
(2024-04-12)


### Features

* add nightly testing eks
([#250](#250))
([543b09d](543b09d))


### Bug Fixes

* drop path normalization to MERGE_SLASHES to allow apps to handle
encoded slashes
([#330](#330))
([26e965f](26e965f))
* loki bucket configuration service_account and namespace
([#332](#332))
([9518634](9518634))


### Miscellaneous

* **deps:** update grafana
([#257](#257))
([c98e566](c98e566))
* **deps:** update metrics-server
([#298](#298))
([691fd87](691fd87))
* **deps:** update pepr
([#324](#324))
([2ef0f96](2ef0f96))
* **deps:** update pepr to v0.28.7
([#321](#321))
([e7206bb](e7206bb))
* **deps:** update promtail
([#74](#74))
([6a112b5](6a112b5))
* **deps:** update zarf to v0.32.6
([#282](#282))
([443426d](443426d))
* **deps:** update zarf to v0.33.0
([#325](#325))
([f2a2a66](f2a2a66))
* update codeowners
([#338](#338))
([c419574](c419574))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
mjnagel added a commit to BagelLab/uds-core that referenced this pull request Nov 14, 2025
@Racer159 @mjnagel
fix: drop path normalization to MERGE_SLASHES to allow apps to handle…
b5a66d5 
… encoded slashes (defenseunicorns#330)

## Description

PR to address `DECODE_AND_MERGE_SLASHES` causing issues in certain
applications. Gives the ability to selectively turn this off in a
namespace with the `UDSPackage` CR.

## Related Issue

Fixes defenseunicorns#288

## Type of change

- [ ] Bug fix (non-breaking change which fixes an issue)
- [X] New feature (non-breaking change which adds functionality)
- [ ] Other (security config, docs update, etc)

## Checklist before merging

- [x] Test, docs, adr added or updated as needed
- [X] [Contributor Guide
Steps](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md)(https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md#submitting-a-pull-request)
followed

---------

Co-authored-by: Micah Nagel <micah.nagel@defenseunicorns.com>
mjnagel pushed a commit to BagelLab/uds-core that referenced this pull request Nov 14, 2025
@github-actions @mjnagel
chore(main): release 0.19.0 (defenseunicorns#320)
ec10247 
🤖 I have created a release *beep* *boop*
---


##
[0.19.0](defenseunicorns/uds-core@v0.18.0...v0.19.0)
(2024-04-12)


### Features

* add nightly testing eks
([defenseunicorns#250](defenseunicorns#250))
([543b09d](defenseunicorns@543b09d))


### Bug Fixes

* drop path normalization to MERGE_SLASHES to allow apps to handle
encoded slashes
([defenseunicorns#330](defenseunicorns#330))
([26e965f](defenseunicorns@26e965f))
* loki bucket configuration service_account and namespace
([defenseunicorns#332](defenseunicorns#332))
([9518634](defenseunicorns@9518634))


### Miscellaneous

* **deps:** update grafana
([defenseunicorns#257](defenseunicorns#257))
([c98e566](defenseunicorns@c98e566))
* **deps:** update metrics-server
([defenseunicorns#298](defenseunicorns#298))
([691fd87](defenseunicorns@691fd87))
* **deps:** update pepr
([defenseunicorns#324](defenseunicorns#324))
([2ef0f96](defenseunicorns@2ef0f96))
* **deps:** update pepr to v0.28.7
([defenseunicorns#321](defenseunicorns#321))
([e7206bb](defenseunicorns@e7206bb))
* **deps:** update promtail
([#74](defenseunicorns#74))
([6a112b5](defenseunicorns@6a112b5))
* **deps:** update zarf to v0.32.6
([defenseunicorns#282](defenseunicorns#282))
([443426d](defenseunicorns@443426d))
* **deps:** update zarf to v0.33.0
([defenseunicorns#325](defenseunicorns#325))
([f2a2a66](defenseunicorns@f2a2a66))
* update codeowners
([defenseunicorns#338](defenseunicorns#338))
([c419574](defenseunicorns@c419574))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mjnagel mjnagel mjnagel approved these changes

@jeff-mccoy jeff-mccoy Awaiting requested review from jeff-mccoy

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Istio DECODE_AND_MERGE_SLASHES option breaks GitLab

4 participants

@Racer159 @bburky @jeff-mccoy @mjnagel