spacewander commented on a change in pull request #768: URL: https://github.com/apache/apisix-website/pull/768#discussion_r754823984
########## File path: website/i18n/zh/docusaurus-plugin-content-blog/2021/11/23/cve-2021-43557-research-report.md ########## @@ -1,32 +1,34 @@ --- -title: "Apache APISIX Path traversal in request_uri variable(CVE-2021-43557)" +title: "关于 Apache APISIX Ingress Controller request_uri 变量不安全问题的研究报告" author: "Marcin Niemiec" authorURL: "https://github.com/xvnpw"; authorImageURL: "https://avatars.githubusercontent.com/u/17719543?v=4"; keywords: - Apache APISIX - CVE - Request_uri -- Security -description: Research report about Apache APISIX Path traversal in request_uri variable(CVE-2021-43557) +- 安全漏洞 +description: 在这篇文章中,将介绍我对 Apache APISIX Ingress Controller 中`$request_uri` 变量不安全使用的问题研究。 tags: [Technology] --- -> Research report about Apache APISIX Path traversal in request_uri variable(CVE-2021-43557) +> 在这篇文章中,将介绍我对 Apache APISIX Ingress Controller 中 `$request_uri` 变量不安全使用的问题研究。 <!--truncate--> -In this article I will present my research on insecure usage of `$request_uri` variable in [Apache APISIX](https://github.com/apache/apisix-ingress-controller/) ingress controller. My work end up in submit of security vulnerability, which was positively confirmed and got CVE-2021-43557\. At the end of article I will mention in short [Skipper](https://github.com/zalando/skipper) which I tested for same problem. +本文提及的 Ingress Controller 中 `$request_uri` 变量不安全使用的问题,目前该漏洞已被确认为 CVE-2021-43557。在向社区及时反馈后,目前该漏洞已第一时间被修复。同时在文章最后,我也将简要地提到我为同一问题测试的[Skipper](https://github.com/zalando/skipper)。 -> Apache APISIX is a dynamic, real-time, high-performance API gateway. APISIX provides rich traffic management features such as load balancing, dynamic upstream, canary release, circuit breaking, authentication, observability, and more. +> Apache APISIX 是一个动态的、实时的、高性能的 API 网关。Apache APISIX 提供丰富的流量管理功能,如负载平衡、动态上游、金丝雀释放、断路、认证、可观察性等。 -Why `$request_uri` ? This [variable](https://nginx.org/en/docs/http/ngx_http_core_module.html#var_request_uri) is many times used in authentication and authorization plugins. It’s **not normalized**, so giving a possibility to bypass some restrictions. +为什么是 `$request_uri`? -In Apache APISIX there is no typical functionality of external authentication/authorization. You can write your own plugin, but it’s quite complicated. To prove that APISIX is vulnerable to path-traversal I will use `uri-blocker` plugin. I’m suspecting that other plugins are also vulnerable but this one is easy to use. +[`$request_uri`](https://nginx.org/en/docs/http/ngx_http_core_module.html#var_request_uri)在认证和授权插件中被多次使用。因为它是**不规范的**,所以就增加了绕过一些限制的可能性。 Review comment: Translating `normalization` to “规范” is quite strange. Maybe we can keep the original word as a term. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
