This is an automated email from the ASF dual-hosted git repository.
wenming pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git
The following commit(s) were added to refs/heads/master by this push:
new 36b2b8365 chore: warn log when sending requests to external services
insecurely (#11403)
36b2b8365 is described below
commit 36b2b83653adfa1ad0f45b8d4bb33686a6550550
Author: Shreemaan Abhishek <[email protected]>
AuthorDate: Wed Jul 24 11:10:11 2024 +0545
chore: warn log when sending requests to external services insecurely
(#11403)
---
apisix/core/utils.lua | 84 +++++
apisix/plugins/authz-casdoor.lua | 2 +
apisix/plugins/authz-keycloak.lua | 5 +
apisix/plugins/cas-auth.lua | 2 +
apisix/plugins/clickhouse-logger.lua | 4 +
apisix/plugins/elasticsearch-logger.lua | 4 +
apisix/plugins/error-log-logger.lua | 5 +
apisix/plugins/forward-auth.lua | 4 +
apisix/plugins/http-logger.lua | 4 +
apisix/plugins/ldap-auth.lua | 1 +
apisix/plugins/loki-logger.lua | 4 +
apisix/plugins/opa.lua | 3 +
apisix/plugins/openid-connect.lua | 5 +
apisix/plugins/opentelemetry.lua | 2 +
apisix/plugins/openwhisk.lua | 4 +
apisix/plugins/rocketmq-logger.lua | 1 +
apisix/plugins/skywalking-logger.lua | 2 +
apisix/plugins/skywalking.lua | 2 +
apisix/plugins/syslog.lua | 1 +
apisix/plugins/tcp-logger.lua | 1 +
apisix/plugins/wolf-rbac.lua | 2 +
apisix/plugins/zipkin.lua | 2 +
t/plugin/security-warning.t | 570 +++++++++++++++++++++++++++++
t/plugin/security-warning2.t | 629 ++++++++++++++++++++++++++++++++
24 files changed, 1343 insertions(+)
diff --git a/apisix/core/utils.lua b/apisix/core/utils.lua
index adca3d856..cfea75654 100644
--- a/apisix/core/utils.lua
+++ b/apisix/core/utils.lua
@@ -36,6 +36,8 @@ local str_byte = string.byte
local tonumber = tonumber
local tostring = tostring
local re_gsub = ngx.re.gsub
+local re_match = ngx.re.match
+local re_gmatch = ngx.re.gmatch
local type = type
local io_popen = io.popen
local C = ffi.C
@@ -43,6 +45,7 @@ local ffi_string = ffi.string
local get_string_buf = base.get_string_buf
local exiting = ngx.worker.exiting
local ngx_sleep = ngx.sleep
+local ipairs = ipairs
local hostname
local dns_resolvers
@@ -378,4 +381,85 @@ end
_M.resolve_var_with_captures = resolve_var_with_captures
+-- if `str` is a string containing period `some_plugin.some_field.nested_field`
+-- return the table that contains `nested_field` in its root level
+-- else return the original table `conf`
+local function get_root_conf(str, conf, field)
+ -- if the string contains periods, get the splits in `it` iterator
+ local it, _ = re_gmatch(str, [[([^\.]+)]])
+ if not it then
+ return conf, field
+ end
+
+ -- add the splits into a table
+ local matches = {}
+ while true do
+ local m, _ = it()
+ if not m then
+ break
+ end
+ table.insert(matches, m[0])
+ end
+
+ -- get to the table that holds the last field
+ local num_of_matches = #matches
+ for i = 1, num_of_matches - 1 , 1 do
+ conf = conf[matches[i]]
+ end
+
+ -- return the table and the last field
+ return conf, matches[num_of_matches]
+end
+
+
+local function find_and_log(field, plugin_name, value)
+ local match, err = re_match(value, "^https")
+ if not match and not err then
+ log.warn("Using ", plugin_name, " " , field, " with no TLS is a
security risk")
+ end
+end
+
+
+function _M.check_https(fields, conf, plugin_name)
+ for _, field in ipairs(fields) do
+
+ local new_conf, new_field = get_root_conf(field, conf)
+ if not new_conf then
+ return
+ end
+
+ local value = new_conf[new_field]
+ if not value then
+ return
+ end
+
+ if type(value) == "table" then
+ for _, v in ipairs(value) do
+ find_and_log(field, plugin_name, v)
+ end
+ else
+ find_and_log(field, plugin_name, value)
+ end
+ end
+end
+
+
+function _M.check_tls_bool(fields, conf, plugin_name)
+ for i, field in ipairs(fields) do
+
+ local new_conf, new_field = get_root_conf(field, conf)
+ if not new_conf then
+ return
+ end
+
+ local value = new_conf[new_field]
+
+ if value ~= true and value ~= nil then
+ log.warn("Keeping ", field, " disabled in ",
+ plugin_name, " configuration is a security risk")
+ end
+ end
+end
+
+
return _M
diff --git a/apisix/plugins/authz-casdoor.lua b/apisix/plugins/authz-casdoor.lua
index 4ed1c92b9..c496ab6b1 100644
--- a/apisix/plugins/authz-casdoor.lua
+++ b/apisix/plugins/authz-casdoor.lua
@@ -85,6 +85,8 @@ end
function _M.check_schema(conf)
+ local check = {"endpoint_addr", "callback_url"}
+ core.utils.check_https(check, conf, plugin_name)
return core.schema.check(schema, conf)
end
diff --git a/apisix/plugins/authz-keycloak.lua
b/apisix/plugins/authz-keycloak.lua
index 587628f74..34a053332 100644
--- a/apisix/plugins/authz-keycloak.lua
+++ b/apisix/plugins/authz-keycloak.lua
@@ -114,6 +114,11 @@ local _M = {
function _M.check_schema(conf)
+ local check = {"discovery", "token_endpoint",
"resource_registration_endpoint",
+ "access_denied_redirect_uri"}
+ core.utils.check_https(check, conf, plugin_name)
+ core.utils.check_tls_bool({"ssl_verify"}, conf, plugin_name)
+
return core.schema.check(schema, conf)
end
diff --git a/apisix/plugins/cas-auth.lua b/apisix/plugins/cas-auth.lua
index 2a3e5049c..d949636f5 100644
--- a/apisix/plugins/cas-auth.lua
+++ b/apisix/plugins/cas-auth.lua
@@ -49,6 +49,8 @@ local _M = {
}
function _M.check_schema(conf)
+ local check = {"idp_uri"}
+ core.utils.check_https(check, conf, plugin_name)
return core.schema.check(schema, conf)
end
diff --git a/apisix/plugins/clickhouse-logger.lua
b/apisix/plugins/clickhouse-logger.lua
index b2e656797..793a8d462 100644
--- a/apisix/plugins/clickhouse-logger.lua
+++ b/apisix/plugins/clickhouse-logger.lua
@@ -89,6 +89,10 @@ function _M.check_schema(conf, schema_type)
if schema_type == core.schema.TYPE_METADATA then
return core.schema.check(metadata_schema, conf)
end
+ local check = {"endpoint_addrs"}
+ core.utils.check_https(check, conf, plugin_name)
+ core.utils.check_tls_bool({"ssl_verify"}, conf, plugin_name)
+
return core.schema.check(schema, conf)
end
diff --git a/apisix/plugins/elasticsearch-logger.lua
b/apisix/plugins/elasticsearch-logger.lua
index 38bc884ed..2b126c434 100644
--- a/apisix/plugins/elasticsearch-logger.lua
+++ b/apisix/plugins/elasticsearch-logger.lua
@@ -124,6 +124,10 @@ function _M.check_schema(conf, schema_type)
if schema_type == core.schema.TYPE_METADATA then
return core.schema.check(metadata_schema, conf)
end
+ local check = {"endpoint_addrs"}
+ core.utils.check_https(check, conf, plugin_name)
+ core.utils.check_tls_bool({"ssl_verify"}, conf, plugin_name)
+
return core.schema.check(schema, conf)
end
diff --git a/apisix/plugins/error-log-logger.lua
b/apisix/plugins/error-log-logger.lua
index 5d5c5d2a9..88eca65ca 100644
--- a/apisix/plugins/error-log-logger.lua
+++ b/apisix/plugins/error-log-logger.lua
@@ -187,6 +187,11 @@ function _M.check_schema(conf, schema_type)
if schema_type == core.schema.TYPE_METADATA then
return core.schema.check(metadata_schema, conf)
end
+
+ local check = {"skywalking.endpoint_addr", "clickhouse.endpoint_addr"}
+ core.utils.check_https(check, conf, plugin_name)
+ core.utils.check_tls_bool({"tcp.tls"}, conf, plugin_name)
+
return core.schema.check(schema, conf)
end
diff --git a/apisix/plugins/forward-auth.lua b/apisix/plugins/forward-auth.lua
index 95f04994c..c75593246 100644
--- a/apisix/plugins/forward-auth.lua
+++ b/apisix/plugins/forward-auth.lua
@@ -78,6 +78,10 @@ local _M = {
function _M.check_schema(conf)
+ local check = {"uri"}
+ core.utils.check_https(check, conf, _M.name)
+ core.utils.check_tls_bool({"ssl_verify"}, conf, _M.name)
+
return core.schema.check(schema, conf)
end
diff --git a/apisix/plugins/http-logger.lua b/apisix/plugins/http-logger.lua
index 9da5373d3..44f84acc9 100644
--- a/apisix/plugins/http-logger.lua
+++ b/apisix/plugins/http-logger.lua
@@ -82,6 +82,10 @@ function _M.check_schema(conf, schema_type)
return core.schema.check(metadata_schema, conf)
end
+ local check = {"uri"}
+ core.utils.check_https(check, conf, plugin_name)
+ core.utils.check_tls_bool({"ssl_verify"}, conf, plugin_name)
+
local ok, err = core.schema.check(schema, conf)
if not ok then
return nil, err
diff --git a/apisix/plugins/ldap-auth.lua b/apisix/plugins/ldap-auth.lua
index 11f205c6b..592d2d5ff 100644
--- a/apisix/plugins/ldap-auth.lua
+++ b/apisix/plugins/ldap-auth.lua
@@ -59,6 +59,7 @@ function _M.check_schema(conf, schema_type)
if schema_type == core.schema.TYPE_CONSUMER then
ok, err = core.schema.check(consumer_schema, conf)
else
+ core.utils.check_tls_bool({"use_tls", "tls_verify"}, conf, plugin_name)
ok, err = core.schema.check(schema, conf)
end
diff --git a/apisix/plugins/loki-logger.lua b/apisix/plugins/loki-logger.lua
index e4c834e30..59cb4da82 100644
--- a/apisix/plugins/loki-logger.lua
+++ b/apisix/plugins/loki-logger.lua
@@ -125,6 +125,10 @@ function _M.check_schema(conf, schema_type)
return core.schema.check(metadata_schema, conf)
end
+ local check = {"endpoint_addrs"}
+ core.utils.check_https(check, conf, plugin_name)
+ core.utils.check_tls_bool({"ssl_verify"}, conf, plugin_name)
+
local ok, err = core.schema.check(schema, conf)
if not ok then
return nil, err
diff --git a/apisix/plugins/opa.lua b/apisix/plugins/opa.lua
index 24bdb5be1..0475529f0 100644
--- a/apisix/plugins/opa.lua
+++ b/apisix/plugins/opa.lua
@@ -65,6 +65,9 @@ local _M = {
function _M.check_schema(conf)
+ local check = {"host"}
+ core.utils.check_https(check, conf, _M.name)
+ core.utils.check_tls_bool({"ssl_verify"}, conf, _M.name)
return core.schema.check(schema, conf)
end
diff --git a/apisix/plugins/openid-connect.lua
b/apisix/plugins/openid-connect.lua
index db8d01bfb..c4388abbf 100644
--- a/apisix/plugins/openid-connect.lua
+++ b/apisix/plugins/openid-connect.lua
@@ -305,6 +305,11 @@ function _M.check_schema(conf)
}
end
+ local check = {"discovery", "introspection_endpoint", "redirect_uri",
+ "post_logout_redirect_uri", "proxy_opts.http_proxy",
"proxy_opts.https_proxy"}
+ core.utils.check_https(check, conf, plugin_name)
+ core.utils.check_tls_bool({"ssl_verify"}, conf, plugin_name)
+
local ok, err = core.schema.check(schema, conf)
if not ok then
return false, err
diff --git a/apisix/plugins/opentelemetry.lua b/apisix/plugins/opentelemetry.lua
index aac18897c..60f05fc17 100644
--- a/apisix/plugins/opentelemetry.lua
+++ b/apisix/plugins/opentelemetry.lua
@@ -219,6 +219,8 @@ function _M.init()
hostname = core.utils.gethostname()
plugin_info = plugin.plugin_attr(plugin_name) or {}
+ local check = {"collector.address"}
+ core.utils.check_https(check, plugin_info, plugin_name)
local ok, err = core.schema.check(attr_schema, plugin_info)
if not ok then
core.log.error("failed to check the plugin_attr[", plugin_name, "]",
diff --git a/apisix/plugins/openwhisk.lua b/apisix/plugins/openwhisk.lua
index 718513adc..f1399254c 100644
--- a/apisix/plugins/openwhisk.lua
+++ b/apisix/plugins/openwhisk.lua
@@ -63,6 +63,10 @@ local _M = {
function _M.check_schema(conf)
+ local check = {"api_host"}
+ core.utils.check_https(check, conf, _M.name)
+ core.utils.check_tls_bool({"ssl_verify"}, conf, _M.name)
+
local ok, err = core.schema.check(schema, conf)
if not ok then
return false, err
diff --git a/apisix/plugins/rocketmq-logger.lua
b/apisix/plugins/rocketmq-logger.lua
index 3cefa7fbb..2f0cd5b4b 100644
--- a/apisix/plugins/rocketmq-logger.lua
+++ b/apisix/plugins/rocketmq-logger.lua
@@ -99,6 +99,7 @@ function _M.check_schema(conf, schema_type)
if not ok then
return nil, err
end
+ core.utils.check_tls_bool({"use_tls"}, conf, plugin_name)
return log_util.check_log_schema(conf)
end
diff --git a/apisix/plugins/skywalking-logger.lua
b/apisix/plugins/skywalking-logger.lua
index 94ba65534..8a7e309cd 100644
--- a/apisix/plugins/skywalking-logger.lua
+++ b/apisix/plugins/skywalking-logger.lua
@@ -82,6 +82,8 @@ function _M.check_schema(conf, schema_type)
if schema_type == core.schema.TYPE_METADATA then
return core.schema.check(metadata_schema, conf)
end
+ local check = {"endpoint_addr"}
+ core.utils.check_https(check, conf, plugin_name)
return core.schema.check(schema, conf)
end
diff --git a/apisix/plugins/skywalking.lua b/apisix/plugins/skywalking.lua
index de170487e..2ef435bcc 100644
--- a/apisix/plugins/skywalking.lua
+++ b/apisix/plugins/skywalking.lua
@@ -71,6 +71,8 @@ local _M = {
function _M.check_schema(conf)
+ local check = {"endpoint_addr"}
+ core.utils.check_https(check, conf, plugin_name)
return core.schema.check(schema, conf)
end
diff --git a/apisix/plugins/syslog.lua b/apisix/plugins/syslog.lua
index fa160feeb..1f3539530 100644
--- a/apisix/plugins/syslog.lua
+++ b/apisix/plugins/syslog.lua
@@ -80,6 +80,7 @@ function _M.check_schema(conf, schema_type)
if schema_type == core.schema.TYPE_METADATA then
return core.schema.check(metadata_schema, conf)
end
+ core.utils.check_tls_bool({"tls"}, conf, plugin_name)
return core.schema.check(schema, conf)
end
diff --git a/apisix/plugins/tcp-logger.lua b/apisix/plugins/tcp-logger.lua
index e95ba9339..7482fe515 100644
--- a/apisix/plugins/tcp-logger.lua
+++ b/apisix/plugins/tcp-logger.lua
@@ -76,6 +76,7 @@ function _M.check_schema(conf, schema_type)
return core.schema.check(metadata_schema, conf)
end
+ core.utils.check_tls_bool({"tls"}, conf, plugin_name)
return core.schema.check(schema, conf)
end
diff --git a/apisix/plugins/wolf-rbac.lua b/apisix/plugins/wolf-rbac.lua
index 154fde41a..22a90c2f5 100644
--- a/apisix/plugins/wolf-rbac.lua
+++ b/apisix/plugins/wolf-rbac.lua
@@ -141,6 +141,8 @@ end
function _M.check_schema(conf)
+ local check = {"server"}
+ core.utils.check_https(check, conf, plugin_name)
core.log.info("input conf: ", core.json.delay_encode(conf))
local ok, err = core.schema.check(schema, conf)
diff --git a/apisix/plugins/zipkin.lua b/apisix/plugins/zipkin.lua
index 0b9efa8f2..dc814f1bc 100644
--- a/apisix/plugins/zipkin.lua
+++ b/apisix/plugins/zipkin.lua
@@ -70,6 +70,8 @@ local _M = {
function _M.check_schema(conf)
+ local check = {"endpoint"}
+ core.utils.check_https(check, conf, plugin_name)
return core.schema.check(schema, conf)
end
diff --git a/t/plugin/security-warning.t b/t/plugin/security-warning.t
new file mode 100644
index 000000000..f2d2e3ea6
--- /dev/null
+++ b/t/plugin/security-warning.t
@@ -0,0 +1,570 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+use t::APISIX 'no_plan';
+
+repeat_each(1);
+no_long_string();
+no_root_location();
+add_block_preprocessor(sub {
+ my ($block) = @_;
+
+ if (!defined $block->request) {
+ $block->set_value("request", "GET /t");
+ }
+
+});
+run_tests();
+
+__DATA__
+
+=== TEST 1: authz-casdoor no https
+--- config
+ location /t {
+ content_by_lua_block {
+ local plugin = require("apisix.plugins.authz-casdoor")
+ local fake_uri = "http://127.0.0.1:"; .. ngx.var.server_port
+ local callback_url = "http://127.0.0.1:"; .. ngx.var.server_port ..
+ "/anything/callback"
+ local conf = {
+ callback_url = callback_url,
+ endpoint_addr = fake_uri,
+ client_id = "7ceb9b7fda4a9061ec1c",
+ client_secret = "3416238e1edf915eac08b8fe345b2b95cdba7e04"
+ }
+ local ok, err = plugin.check_schema(conf)
+ if not ok then
+ ngx.say(err)
+ end
+ ngx.say("done")
+
+ }
+ }
+--- response_body
+done
+--- error_log
+Using authz-casdoor endpoint_addr with no TLS is a security risk
+Using authz-casdoor callback_url with no TLS is a security risk
+
+
+
+=== TEST 2: authz-casdoor with TLS
+--- config
+ location /t {
+ content_by_lua_block {
+ local plugin = require("apisix.plugins.authz-casdoor")
+ local fake_uri = "https://127.0.0.1:"; .. ngx.var.server_port
+ local callback_url = "https://127.0.0.1:"; .. ngx.var.server_port ..
+ "/anything/callback"
+ local conf = {
+ callback_url = callback_url,
+ endpoint_addr = fake_uri,
+ client_id = "7ceb9b7fda4a9061ec1c",
+ client_secret = "3416238e1edf915eac08b8fe345b2b95cdba7e04"
+ }
+ local ok, err = plugin.check_schema(conf)
+ if not ok then
+ ngx.say(err)
+ end
+ ngx.say("done")
+
+ }
+ }
+--- response_body
+done
+--- no_error_log
+Using authz-casdoor endpoint_addr with no TLS is a security risk
+Using authz-casdoor callback_url with no TLS is a security risk
+
+
+
+=== TEST 3: authz keycloak with no TLS
+--- config
+ location /t {
+ content_by_lua_block {
+ local check = {"discovery", "token_endpoint",
"resource_registration_endpoint", "access_denied_redirect_uri"}
+ local plugin = require("apisix.plugins.authz-keycloak")
+ local ok, err = plugin.check_schema({
+ client_id = "foo",
+ discovery =
"http://host.domain/realms/foo/protocol/openid-connect/token";,
+ token_endpoint =
"http://token_endpoint.domain";,
+ resource_registration_endpoint =
"http://resource_registration_endpoint.domain";,
+ access_denied_redirect_uri =
"http://access_denied_redirect_uri.domain";
+ })
+ if not ok then
+ ngx.say(err)
+ end
+
+ ngx.say("done")
+ }
+ }
+--- request
+GET /t
+--- response_body
+done
+--- error_log
+Using authz-keycloak discovery with no TLS is a security risk
+Using authz-keycloak token_endpoint with no TLS is a security risk
+Using authz-keycloak resource_registration_endpoint with no TLS is a security
+Using authz-keycloak access_denied_redirect_uri with no TLS is a security risk
+
+
+
+=== TEST 4: authz keycloak with TLS
+--- config
+ location /t {
+ content_by_lua_block {
+ local check = {"discovery", "token_endpoint",
"resource_registration_endpoint", "access_denied_redirect_uri"}
+ local plugin = require("apisix.plugins.authz-keycloak")
+ local ok, err = plugin.check_schema({
+ client_id = "foo",
+ discovery =
"https://host.domain/realms/foo/protocol/openid-connect/token";,
+ token_endpoint =
"https://token_endpoint.domain";,
+ resource_registration_endpoint =
"https://resource_registration_endpoint.domain";,
+ access_denied_redirect_uri =
"https://access_denied_redirect_uri.domain";
+ })
+ if not ok then
+ ngx.say(err)
+ end
+
+ ngx.say("done")
+ }
+ }
+--- request
+GET /t
+--- response_body
+done
+--- no_error_log
+Using authz-keycloak discovery with no TLS is a security risk
+Using authz-keycloak token_endpoint with no TLS is a security risk
+Using authz-keycloak resource_registration_endpoint with no TLS is a security
+Using authz-keycloak access_denied_redirect_uri with no TLS is a security risk
+
+
+
+=== TEST 5: cas auth with no TLS
+--- config
+ location /t {
+ content_by_lua_block {
+ local plugin = require("apisix.plugins.cas-auth")
+ local ok, err = plugin.check_schema({
+ idp_uri = "http://a.com";,
+ cas_callback_uri = "/a/b",
+ logout_uri = "/c/d"
+ })
+
+ if not ok then
+ ngx.say(err)
+ else
+ ngx.say("passed")
+ end
+ }
+ }
+--- response_body
+passed
+--- error_log
+risk
+
+
+
+=== TEST 6: cas auth with TLS
+--- config
+ location /t {
+ content_by_lua_block {
+ local plugin = require("apisix.plugins.cas-auth")
+ local ok, err = plugin.check_schema({
+ idp_uri = "https://a.com";,
+ cas_callback_uri = "/a/b",
+ logout_uri = "/c/d"
+ })
+ if not ok then
+ ngx.say(err)
+ else
+ ngx.say("passed")
+ end
+ }
+ }
+--- response_body
+passed
+--- no_error_log
+risk
+
+
+
+=== TEST 7: clickhouse logger with no TLS
+--- config
+ location /t {
+ content_by_lua_block {
+ local plugin = require("apisix.plugins.clickhouse-logger")
+ local ok, err = plugin.check_schema({
+ timeout = 3,
+ retry_delay = 1,
+ batch_max_size = 500,
+ user = "default",
+ password = "a",
+ database = "default",
+ logtable = "t",
+ endpoint_addrs = {
+ "http://127.0.0.1:1980/clickhouse_logger_server";,
+ "http://127.0.0.2:1980/clickhouse_logger_server";,
+ },
+ max_retry_count = 1,
+ name = "clickhouse logger",
+ ssl_verify = false
+ })
+
+ if not ok then
+ ngx.say(err)
+ else
+ ngx.say("passed")
+ end
+ }
+ }
+--- response_body
+passed
+--- error_log
+Using clickhouse-logger endpoint_addrs with no TLS is a security risk
+
+
+
+=== TEST 8: clickhouse logger with TLS
+--- config
+ location /t {
+ content_by_lua_block {
+ local plugin = require("apisix.plugins.clickhouse-logger")
+ local ok, err = plugin.check_schema({
+ timeout = 3,
+ retry_delay = 1,
+ batch_max_size = 500,
+ user = "default",
+ password = "a",
+ database = "default",
+ logtable = "t",
+ endpoint_addrs = {
+ "https://127.0.0.1:1980/clickhouse_logger_server";,
+ "https://127.0.0.2:1980/clickhouse_logger_server";,
+ },
+ max_retry_count = 1,
+ name = "clickhouse logger",
+ ssl_verify = false
+ })
+
+ if not ok then
+ ngx.say(err)
+ else
+ ngx.say("passed")
+ end
+ }
+ }
+--- response_body
+passed
+--- no_error_log
+Using clickhouse-logger endpoint_addrs with no TLS is a security risk
+
+
+
+=== TEST 9: elastic search logger with no TLS
+--- config
+ location /t {
+ content_by_lua_block {
+ local ok, err
+ local plugin = require("apisix.plugins.elasticsearch-logger")
+ ok, err = plugin.check_schema({
+ endpoint_addrs = {
+ "http://127.0.0.1:9200";
+ },
+ field = {
+ index = "services"
+ }
+ })
+ if err then
+ ngx.say(err)
+ else
+ ngx.say("passed")
+ end
+
+ }
+ }
+--- response_body_like
+passed
+--- error_log
+Using elasticsearch-logger endpoint_addrs with no TLS is a security risk
+
+
+
+=== TEST 10: elastic search logger with TLS
+--- config
+ location /t {
+ content_by_lua_block {
+ local ok, err
+ local plugin = require("apisix.plugins.elasticsearch-logger")
+ ok, err = plugin.check_schema({
+ endpoint_addrs = {
+ "https://127.0.0.1:9200";
+ },
+ field = {
+ index = "services"
+ }
+ })
+ if err then
+ ngx.say(err)
+ else
+ ngx.say("passed")
+ end
+
+ }
+ }
+--- response_body_like
+passed
+--- no_error_log
+Using elasticsearch-logger endpoint_addrs with no TLS is a security risk
+
+
+
+=== TEST 11: error log logger with tcp.tls = false
+--- config
+ location /t {
+ content_by_lua_block {
+ local plugin = require("apisix.plugins.error-log-logger")
+ local ok, err = plugin.check_schema({
+ tcp = {
+ host = "host.com",
+ port = "99",
+ tls = false,
+ },
+ skywalking = {
+ endpoint_addr = "http://a.bcd";
+ },
+ clickhouse = {
+ endpoint_addr = "http://some.com";,
+ user = "user",
+ password = "secret",
+ database = "yes",
+ logtable = "some"
+ },
+ })
+ ngx.say(ok and "done" or err)
+
+ }
+ }
+--- request
+GET /t
+--- response_body
+done
+--- error_log
+Using error-log-logger skywalking.endpoint_addr with no TLS is a security risk
+Using error-log-logger clickhouse.endpoint_addr with no TLS is a security risk
+Keeping tcp.tls disabled in error-log-logger configuration is a security risk
+
+
+
+=== TEST 12: error log logger with tcp.tls = true
+--- config
+ location /t {
+ content_by_lua_block {
+ local plugin = require("apisix.plugins.error-log-logger")
+ local ok, err = plugin.check_schema({
+ tcp = {
+ host = "host.com",
+ port = "99",
+ tls = true,
+ },
+ skywalking = {
+ endpoint_addr = "https://a.bcd";
+ },
+ clickhouse = {
+ endpoint_addr = "https://some.com";,
+ user = "user",
+ password = "secret",
+ database = "yes",
+ logtable = "some"
+ },
+ })
+ ngx.say(ok and "done" or err)
+
+ }
+ }
+--- request
+GET /t
+--- response_body
+done
+--- no_error_log
+Using error-log-logger skywalking.endpoint_addr with no TLS is a security risk
+Using error-log-logger clickhouse.endpoint_addr with no TLS is a security risk
+Keeping tcp.tls disabled in error-log-logger configuration is a security risk
+
+
+
+=== TEST 13: forward auth with no TLS
+--- config
+ location /t {
+ content_by_lua_block {
+ local plugin = require("apisix.plugins.forward-auth")
+
+ local ok, err = plugin.check_schema({uri =
"http://127.0.0.1:8199"})
+ ngx.say(ok and "done" or err)
+
+ }
+ }
+--- response_body
+done
+--- error_log
+Using forward-auth uri with no TLS is a security risk
+Using forward-auth uri with no TLS is a security risk
+
+
+
+=== TEST 14: forward auth with TLS
+--- config
+ location /t {
+ content_by_lua_block {
+ local plugin = require("apisix.plugins.forward-auth")
+
+ local ok, err = plugin.check_schema({uri =
"https://127.0.0.1:8199"})
+ ngx.say(ok and "done" or err)
+
+ }
+ }
+--- response_body
+done
+--- no_error_log
+Using forward-auth uri with no TLS is a security risk
+
+
+
+=== TEST 15: http-logger with no TLS
+--- config
+ location /t {
+ content_by_lua_block {
+ local plugin = require("apisix.plugins.http-logger")
+ local ok, err = plugin.check_schema({uri = "http://127.0.0.1"})
+ if not ok then
+ ngx.say(err)
+ end
+
+ ngx.say("done")
+ }
+ }
+--- response_body
+done
+--- error_log
+Using http-logger uri with no TLS is a security risk
+
+
+
+=== TEST 16: http-logger with TLS
+--- config
+ location /t {
+ content_by_lua_block {
+ local plugin = require("apisix.plugins.http-logger")
+ local ok, err = plugin.check_schema({uri = "https://127.0.0.1"})
+ if not ok then
+ ngx.say(err)
+ end
+
+ ngx.say("done")
+ }
+ }
+--- response_body
+done
+--- no_error_log
+Using http-logger uri with no TLS is a security risk
+
+
+
+=== TEST 17: ldap auth with no TLS
+--- config
+ location /t {
+ content_by_lua_block {
+ local core = require("apisix.core")
+ local plugin = require("apisix.plugins.ldap-auth")
+ local ok, err = plugin.check_schema(
+ {
+ base_dn = "123",
+ ldap_uri = "127.0.0.1:1389",
+ tls_verify = false,
+ use_tls = false
+ })
+ if not ok then
+ ngx.say(err)
+ end
+
+ ngx.say("done")
+ }
+ }
+--- response_body
+done
+--- error_log
+Keeping tls_verify disabled in ldap-auth configuration is a security risk
+Keeping use_tls disabled in ldap-auth configuration is a security risk
+
+
+
+=== TEST 18: ldap auth with TLS
+--- config
+ location /t {
+ content_by_lua_block {
+ local core = require("apisix.core")
+ local plugin = require("apisix.plugins.ldap-auth")
+ local ok, err = plugin.check_schema({base_dn = "123", ldap_uri =
"127.0.0.1:1389", use_tls = true})
+ if not ok then
+ ngx.say(err)
+ end
+
+ ngx.say("done")
+ }
+ }
+--- response_body
+done
+--- no_error_log
+Using LDAP auth with TLS disabled is a security risk
+
+
+
+=== TEST 19: loki-logger with no TLS
+--- config
+ location /t {
+ content_by_lua_block {
+ local plugin = require("apisix.plugins.loki-logger")
+
+ local ok, err = plugin.check_schema({endpoint_addrs =
{"http://127.0.0.1:8199"}})
+ ngx.say(ok and "done" or err)
+ }
+ }
+--- response_body
+done
+--- error_log
+Using loki-logger endpoint_addrs with no TLS is a security risk
+Using loki-logger endpoint_addrs with no TLS is a security risk
+Using loki-logger endpoint_addrs with no TLS is a security risk
+
+
+
+=== TEST 20: loki logger with TLS
+--- config
+ location /t {
+ content_by_lua_block {
+ local plugin = require("apisix.plugins.loki-logger")
+
+ local ok, err = plugin.check_schema({endpoint_addrs =
{"https://127.0.0.1:8199"}})
+ ngx.say(ok and "done" or err)
+ }
+ }
+--- response_body
+done
+--- no_error_log
+Using loki-logger endpoint_addrs with no TLS is a security risk
diff --git a/t/plugin/security-warning2.t b/t/plugin/security-warning2.t
new file mode 100644
index 000000000..acfd46649
--- /dev/null
+++ b/t/plugin/security-warning2.t
@@ -0,0 +1,629 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+use t::APISIX 'no_plan';
+
+repeat_each(1);
+no_long_string();
+no_root_location();
+add_block_preprocessor(sub {
+ my ($block) = @_;
+
+ if (!defined $block->request) {
+ $block->set_value("request", "GET /t");
+ }
+});
+run_tests();
+
+__DATA__
+
+=== TEST 1: opa with no TLS
+--- config
+ location /t {
+ content_by_lua_block {
+ local plugin = require("apisix.plugins.opa")
+ local ok, err = plugin.check_schema({host =
"http://127.0.0.1:8181";, policy = "example/allow"})
+ ngx.say(ok and "done" or err)
+ }
+ }
+--- response_body
+done
+--- error_log
+Using opa host with no TLS is a security risk
+
+
+
+=== TEST 2: opa with TLS
+--- config
+ location /t {
+ content_by_lua_block {
+ local plugin = require("apisix.plugins.opa")
+ local ok, err = plugin.check_schema({host =
"https://127.0.0.1:8181";, policy = "example/allow"})
+ ngx.say(ok and "done" or err)
+ }
+ }
+--- response_body
+done
+--- no_error_log
+Using opa host with no TLS is a security risk
+
+
+
+=== TEST 3: openid-connect with no TLS
+--- config
+ location /t {
+ content_by_lua_block {
+
+ local plugin = require("apisix.plugins.openid-connect")
+ local ok, err = plugin.check_schema({
+ client_id = "a",
+ client_secret = "b",
+ discovery = "http://a.com";,
+ introspection_endpoint = "http://b.com";,
+ redirect_uri = "http://c.com";,
+ post_logout_redirect_uri = "http://d.com";,
+ proxy_opts = {
+ http_proxy = "http://e.com";
+ }
+ })
+ if not ok then
+ ngx.say(err)
+ end
+
+ ngx.say("done")
+ }
+ }
+--- response_body
+done
+--- error_log
+Using openid-connect discovery with no TLS is a security risk
+Using openid-connect introspection_endpoint with no TLS is a security risk
+Using openid-connect redirect_uri with no TLS is a security risk
+Using openid-connect post_logout_redirect_uri with no TLS is a security risk
+Using openid-connect proxy_opts.http_proxy with no TLS is a security risk
+
+
+
+=== TEST 4: openid-connect with TLS
+--- config
+ location /t {
+ content_by_lua_block {
+ local plugin = require("apisix.plugins.openid-connect")
+
+ local ok, err = plugin.check_schema({
+ client_id = "a",
+ client_secret = "b",
+ discovery = "https://a.com";,
+ introspection_endpoint = "https://b.com";,
+ redirect_uri = "https://c.com";,
+ post_logout_redirect_uri = "https://d.com";,
+ proxy_opts = {
+ http_proxy = "https://e.com";
+ }
+ })
+
+ if not ok then
+ ngx.say(err)
+ end
+
+ ngx.say("done")
+ }
+ }
+--- response_body
+done
+--- no_error_log
+Using openid-connect discovery with no TLS is a security risk
+Using openid-connect introspection_endpoint with no TLS is a security risk
+Using openid-connect redirect_uri with no TLS is a security risk
+Using openid-connect post_logout_redirect_uri with no TLS is a security risk
+Using openid-connect proxy_opts.http_proxy with no TLS is a security risk
+
+
+
+=== TEST 5: opentelemetry with no TLS
+--- extra_yaml_config
+plugins:
+ - opentelemetry
+plugin_attr:
+ opentelemetry:
+ trace_id_source: x-request-id
+ batch_span_processor:
+ max_export_batch_size: 1
+ inactive_timeout: 0.5
+ collector:
+ address: http://127.0.0.1:4318
+ request_timeout: 3
+ request_headers:
+ foo: bar
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/routes/1',
+ ngx.HTTP_PUT,
+ [[{
+ "plugins": {
+ "opentelemetry": {
+ "sampler": {
+ "name": "always_on"
+ }
+ }
+ },
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "uri": "/opentracing"
+ }]]
+ )
+
+ if code >= 300 then
+ ngx.status = code
+ end
+ ngx.say(body)
+ }
+ }
+--- request
+GET /t
+--- error_log
+Using opentelemetry collector.address with no TLS is a security risk
+
+
+
+=== TEST 6: opentelemetery with TLS
+--- extra_yaml_config
+plugins:
+ - opentelemetry
+plugin_attr:
+ opentelemetry:
+ trace_id_source: x-request-id
+ batch_span_processor:
+ max_export_batch_size: 1
+ inactive_timeout: 0.5
+ collector:
+ address: https://127.0.0.1:4318
+ request_timeout: 3
+ request_headers:
+ foo: bar
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/routes/1',
+ ngx.HTTP_PUT,
+ [[{
+ "plugins": {
+ "opentelemetry": {
+ "sampler": {
+ "name": "always_on"
+ }
+ }
+ },
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "uri": "/opentracing"
+ }]]
+ )
+
+ if code >= 300 then
+ ngx.status = code
+ end
+ ngx.say(body)
+ }
+ }
+--- request
+GET /t
+--- no_error_log
+Using opentelemetry collector.address with no TLS is a security risk
+
+
+
+=== TEST 7: openwhisk with no TLS
+--- config
+ location /t {
+ content_by_lua_block {
+ local plugin = require("apisix.plugins.openwhisk")
+ local ok, err = plugin.check_schema({
+ api_host = "http://127.0.0.1:3233";,
+ service_token = "test:test",
+ namespace = "test",
+ action = "test"
+ })
+ if not ok then
+ ngx.say(err)
+ end
+
+ ngx.say("done")
+ }
+ }
+--- response_body
+done
+--- error_log
+Using openwhisk api_host with no TLS is a security risk
+
+
+
+=== TEST 8: openwhisk with TLS
+--- config
+ location /t {
+ content_by_lua_block {
+ local plugin = require("apisix.plugins.openwhisk")
+ local ok, err = plugin.check_schema({api_host =
"https://127.0.0.1:3233";, service_token = "test:test", namespace = "test",
action = "test"})
+ if not ok then
+ ngx.say(err)
+ end
+
+ ngx.say("done")
+ }
+ }
+--- response_body
+done
+--- no_error_log
+Using openwhisk api_host with no TLS is a security risk
+
+
+
+=== TEST 9: rocketmq with no TLS
+--- config
+ location /t {
+ content_by_lua_block {
+ local plugin = require("apisix.plugins.rocketmq-logger")
+ local ok, err = plugin.check_schema({
+ topic = "test",
+ key = "key1",
+ nameserver_list = {
+ "127.0.0.1:3"
+ },
+ use_tls = false
+ })
+ if not ok then
+ ngx.say(err)
+ end
+ ngx.say("done")
+ }
+ }
+--- response_body
+done
+--- error_log
+Keeping use_tls disabled in rocketmq-logger configuration is a security risk
+
+
+
+=== TEST 10: rocketmq with TLS
+--- config
+ location /t {
+ content_by_lua_block {
+ local plugin = require("apisix.plugins.rocketmq-logger")
+ local ok, err = plugin.check_schema({
+ topic = "test",
+ key = "key1",
+ nameserver_list = {
+ "127.0.0.1:3"
+ },
+ use_tls = true
+ })
+ if not ok then
+ ngx.say(err)
+ end
+ ngx.say("done")
+ }
+ }
+--- response_body
+done
+--- no_error_log
+Keeping use_tls disabled in rocketmq-logger configuration is a security risk
+
+
+
+=== TEST 11: skywalking-logger with no TLS
+--- config
+ location /t {
+ content_by_lua_block {
+ local plugin = require("apisix.plugins.skywalking-logger")
+ local ok, err = plugin.check_schema({endpoint_addr =
"http://127.0.0.1"})
+ if not ok then
+ ngx.say(err)
+ end
+
+ ngx.say("done")
+ }
+ }
+--- response_body
+done
+--- error_log
+Using skywalking-logger endpoint_addr with no TLS is a security risk
+
+
+
+=== TEST 12: skywalking-logger with TLS
+--- config
+ location /t {
+ content_by_lua_block {
+ local plugin = require("apisix.plugins.skywalking-logger")
+ local ok, err = plugin.check_schema({endpoint_addr =
"https://127.0.0.1"})
+ if not ok then
+ ngx.say(err)
+ end
+
+ ngx.say("done")
+ }
+ }
+--- response_body
+done
+--- no_error_log
+Using skywalking-logger endpoint_addr with no TLS is a security risk
+
+
+
+=== TEST 13: skywalking with no TLS
+--- config
+ location /t {
+ content_by_lua_block {
+ local plugin = require("apisix.plugins.skywalking")
+ local ok, err = plugin.check_schema({endpoint_addr =
"http://127.0.0.1:12800"})
+ if not ok then
+ ngx.say(err)
+ end
+
+ ngx.say("done")
+ }
+ }
+--- request
+GET /t
+--- response_body
+done
+--- error_log
+Using skywalking endpoint_addr with no TLS is a security risk
+
+
+
+=== TEST 14: skywalking with TLS
+--- config
+ location /t {
+ content_by_lua_block {
+ local plugin = require("apisix.plugins.skywalking")
+ local ok, err = plugin.check_schema({endpoint_addr =
"https://127.0.0.1:12800"})
+ if not ok then
+ ngx.say(err)
+ end
+
+ ngx.say("done")
+ }
+ }
+--- request
+GET /t
+--- response_body
+done
+--- no_error_log
+Using skywalking endpoint_addr with no TLS is a security risk
+
+
+
+=== TEST 15: syslog with no TLS
+--- config
+ location /t {
+ content_by_lua_block {
+ local plugin = require("apisix.plugins.syslog")
+ local ok, err = plugin.check_schema({
+ host = "127.0.0.1",
+ port = 5140,
+ tls = false
+ })
+ if not ok then
+ ngx.say(err)
+ end
+ ngx.say("done")
+ }
+ }
+--- request
+GET /t
+--- response_body
+done
+--- error_log
+Keeping tls disabled in syslog configuration is a security risk
+
+
+
+=== TEST 16: syslog with TLS
+--- config
+ location /t {
+ content_by_lua_block {
+ local plugin = require("apisix.plugins.syslog")
+ local ok, err = plugin.check_schema({
+ host = "127.0.0.1",
+ port = 5140,
+ tls = true
+ })
+ if not ok then
+ ngx.say(err)
+ end
+ ngx.say("done")
+ }
+ }
+--- request
+GET /t
+--- response_body
+done
+--- no_error_log
+Keeping tls disabled in syslog configuration is a security risk
+
+
+
+=== TEST 17: tcp-logger with no TLS
+--- config
+ location /t {
+ content_by_lua_block {
+ local plugin = require("apisix.plugins.tcp-logger")
+ local ok, err = plugin.check_schema({host = "127.0.0.1", port =
3000, tls = false})
+ if not ok then
+ ngx.say(err)
+ end
+
+ ngx.say("done")
+ }
+ }
+--- request
+GET /t
+--- response_body
+done
+--- error_log
+Keeping tls disabled in tcp-logger configuration is a security risk
+
+
+
+=== TEST 18: tcp-logger with TLS
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/routes/1',
+ ngx.HTTP_PUT,
+ [[{
+ "plugins": {
+ "tcp-logger": {
+ "host": "127.0.0.1",
+ "port": 3000,
+ "tls": true
+ }
+ },
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "uri": "/hello"
+ }]]
+ )
+
+ if code >= 300 then
+ ngx.status = code
+ end
+ ngx.say(body)
+ }
+ }
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+Keeping tls disabled in tcp-logger configuration is a security risk
+
+
+
+=== TEST 19: wolf-rbac with no TLS
+--- config
+ location /t {
+ content_by_lua_block {
+ local plugin = require("apisix.plugins.wolf-rbac")
+ local conf = {
+ server = "http://127.0.0.1:12180";
+ }
+
+ local ok, err = plugin.check_schema(conf)
+ if not ok then
+ ngx.say(err)
+ end
+
+ ngx.say(require("toolkit.json").encode(conf))
+ }
+ }
+--- response_body_like eval
+qr/\{"appid":"unset","header_prefix":"X-","server":"http:\/\/127\.0\.0\.1:12180"\}/
+--- error_log
+Using wolf-rbac server with no TLS is a security risk
+
+
+
+=== TEST 20: wolf-rbac with TLS
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/consumers',
+ ngx.HTTP_PUT,
+ [[{
+ "username": "wolf_rbac_unit_test",
+ "plugins": {
+ "wolf-rbac": {
+ "appid": "wolf-rbac-app",
+ "server": "https://127.0.0.1:1982";
+ }
+ }
+ }]]
+ )
+
+ if code >= 300 then
+ ngx.status = code
+ end
+ ngx.say(body)
+ }
+ }
+--- response_body
+passed
+--- no_error_log
+Using wolf-rbac server with no TLS is a security risk
+
+
+
+=== TEST 21: zipkin with no TLS
+--- config
+ location /t {
+ content_by_lua_block {
+ local plugin = require("apisix.plugins.zipkin")
+ local ok, err = plugin.check_schema({endpoint =
'http://127.0.0.1', sample_ratio = 0.001})
+ if not ok then
+ ngx.say(err)
+ end
+
+ ngx.say("done")
+ }
+ }
+--- request
+GET /t
+--- response_body
+done
+--- error_log
+Using zipkin endpoint with no TLS is a security risk
+
+
+
+=== TEST 22: zipkin with TLS
+--- config
+ location /t {
+ content_by_lua_block {
+ local plugin = require("apisix.plugins.zipkin")
+ local ok, err = plugin.check_schema({endpoint =
'https://127.0.0.1', sample_ratio = 0.001})
+ if not ok then
+ ngx.say(err)
+ end
+
+ ngx.say("done")
+ }
+ }
+--- request
+GET /t
+--- response_body
+done
+--- no_error_log
+Using zipkin endpoint with no TLS is a security risk
