kys1230 commented on PR #11498:
URL: https://github.com/apache/apisix/pull/11498#issuecomment-2290665983
I tried Test::nginx but couldn't get it to run. I'll briefly describe the
plugins I used and the reproduction method.
The plugin I used is the CORS plugin with the following configuration.
```json
{
"uri": "/*",
"name": "kystest",
"methods": [
"GET",
"POST",
"PUT",
"DELETE",
"PATCH",
"HEAD",
"OPTIONS",
"CONNECT",
"TRACE",
"PURGE"
],
"host": "kystest.a.b",
"plugins": {
"cors": {
"_meta": {
"disable": false
},
"allow_credential": true,
"allow_headers": "**",
"allow_methods": "**",
"allow_origins": "**",
"expose_headers": "**",
"max_age": 5
}
},
"upstream_id": "438941858735850233",
"status": 1
}
```
Normal request:
```bash
# once
$ curl -s --resolve kystest.a.b:9080:10.41.0.12 -I -XOPTIONS -H 'Origin:
http://a.b.c' http://kystest.a.b:9080
HTTP/1.1 200 OK
Date: Thu, 15 Aug 2024 05:15:19 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=60
Vary: Accept-Encoding
X-Request-ID: b03d213c-0393-4719-8aeb-26a4a6ed910c
Access-Control-Allow-Origin: http://a.b.c
Vary: Origin
Access-Control-Allow-Methods:
GET,POST,PUT,DELETE,PATCH,HEAD,OPTIONS,CONNECT,TRACE
Access-Control-Max-Age: 5
Access-Control-Expose-Headers: **
Access-Control-Allow-Credentials: true
# multiple
for i in {0..99}; do curl -s --resolve kystest.a.b:9080:10.41.0.12 -I
-XOPTIONS -H 'Origin: http://a.b.c' http://kystest.a.b:9080 | grep -q
'Access-Control' && echo ok || echo no ; done | sort | uniq -c
100 ok
```
malicious request is an erroneous request
If the Origin maliciously passes in content with a ',', it will trigger this
issue. When the values of the Origin for subsequent normal requests do not
equal the values obtained by splitting the malicious request's Origin by ',',
the cross-origin response headers will not be returned
Taking http://a.b.c and http://b.c.d as examples, if the Origin of
subsequent requests does not equal http://a.b.c or http://b.c.d, this issue may
occur with a certain probability. This probability depends on the number of
nginx workers. If malicious requests are repeatedly called multiple times, once
all workers have processed the malicious requests, this issue will consistently
reproduce.
```bash
$ curl -s --resolve kystest.a.b:9080:10.41.0.12 -I -XOPTIONS -H 'Origin:
http://a.b.c,http://b.c.d' http://kystest.a.b:9080
HTTP/1.1 200 OK
Date: Thu, 15 Aug 2024 05:20:53 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=60
Vary: Accept-Encoding
X-Request-ID: 2417dd05-00cf-43fb-b7cc-cbef7176b044
$ for i in {0..99}; do curl -s --resolve kystest.a.b:9080:10.41.0.12 -I
-XOPTIONS -H 'Origin: http://a.b.e' http://kystest.a.b:9080 | grep -q
'Access-Control' && echo ok || echo no ; done | sort | uniq -c
29 no
71 ok
# Call the malicious request multiple times
$ for i in {0..99}; do curl -s --resolve kystest.a.b:9080:10.41.0.12 -I -H
'Origin: http://a.b.c,http://b.c.d' -XOPTIONS http://kystest.a.b:9080 | grep -q
'Access-Control' && echo ok || echo no ; done | sort | uniq -c
100 no
# At this time, all normal requests will be affected.
for i in {0..99}; do curl -s --resolve kystest.a.b:9080:10.41.0.12 -I
-XOPTIONS -H 'Origin: http://a.b.e' http://kystest.a.b:9080 | grep -q
'Access-Control' && echo ok || echo no ; done | sort | uniq -c
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
