v0.13.218
Changes
fix: Query predicate could be bypassed by prepared request, config is enabled by default and you can disable with -validate-query=false or (#2028)
Thanks to Daniel Abeles and Gal Goldshtein from https://oxeye.io
CVE
https://www.cvedetails.com/cve/CVE-2022-34296/
POC
% ./bin/skipper -inline-routes '
r1: QueryParam("foo") -> inlineContent("foo") -> <shunt>;
r2: * -> inlineContent("OK") -> <shunt>'
% curl "localhost:9090/r?foo=bar;"
OK
Fix as docker or binary user
Update to >=v0.13.218
To opt-out the fix: -validate-query=false
Fix as skipper library user
diff --git main.go main.go
index 66b2da6..002455d 100644
--- main.go
+++ main.go
@@ -5,6 +5,7 @@ import (
"flag"
"fmt"
+ "net/http"
"net/url"
"os"
"path"
@@ -21,6 +22,7 @@ import (
"github.com/zalando/skipper/filters/accesslog"
"github.com/zalando/skipper/filters/auth"
"github.com/zalando/skipper/filters/cors"
+ "github.com/zalando/skipper/net"
"github.com/zalando/skipper/proxy"
"github.com/zalando/skipper/routing"
options := skipper.Options{
+ CustomHttpHandlerWrap: func(handler http.Handler) http.Handler {
+ return &net.ValidateQueryHandler{Handler: handler}
+ },Docker image
Docker image is available in Zalando's Open Source registry:
docker run -it registry.opensource.zalan.do/teapot/skipper:v0.13.218 skipper --help
# arm64
docker run -it registry.opensource.zalan.do/teapot/skipper-arm64:v0.13.218 skipper --help
# arm v7 32bit
docker run -it registry.opensource.zalan.do/teapot/skipper-armv7:v0.13.218 skipper --help