Re: [PR] feat: make `regex-uri` able to use nginx variables for Plugin[Proxy-rewrite] [apisix]
shreemaan-abhishek commented on PR #11225: URL: https://github.com/apache/apisix/pull/11225#issuecomment-2095196878 @V1endr3 please describe your proposal first in #11224 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [I] bug: After the forward-auth verification is passed, the upstream cannot obtain the request body (payload) with 504 Timeout [apisix]
OnGoingLzy commented on issue #11200: URL: https://github.com/apache/apisix/issues/11200#issuecomment-2095122157 > Related: #11050, from the convo it looks like 3.6.0 does not have this issue. To be tested.相关: #11050 ,从 convo 来看,3.6.0 没有这个问题。待测试。 Thanks for the reply, I'll try it in version 3.6.0 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Fix: Added redirection to GitHub index when no hash present [apisix-website]
SkyeYoung commented on code in PR #1789: URL: https://github.com/apache/apisix-website/pull/1789#discussion_r1590493465 ## doc/src/pages/edit.tsx: ## @@ -20,18 +22,26 @@ const Edit: FC = () => { const path = getPath(); setIsLoading(true); + +if (path === '' || !path.includes('https://github.com/apache')) { + setPathExist(false); + setIsLoading(false); + return; +} + fetch(path.replace('github.com', 'raw.githubusercontent.com').replace('/edit', '')) .then((res) => setPathExist(res.status !== 404)) .finally(() => setIsLoading(false)); }, []); const edit = useCallback(() => { -let path = getPath(); +const path = getPath(); + if (!pathExist) { - const pathArr = path.replace('edit', 'new').split('/'); - pathArr[pathArr.length - 1] = `?filename=${pathArr.at(-1)}`; - path = pathArr.join('/'); Review Comment: @siyaramaa Yes. Sorry for replying so late. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Fix: Added redirection to GitHub index when no hash present [apisix-website]
SkyeYoung commented on code in PR #1789: URL: https://github.com/apache/apisix-website/pull/1789#discussion_r1590493465 ## doc/src/pages/edit.tsx: ## @@ -20,18 +22,26 @@ const Edit: FC = () => { const path = getPath(); setIsLoading(true); + +if (path === '' || !path.includes('https://github.com/apache')) { + setPathExist(false); + setIsLoading(false); + return; +} + fetch(path.replace('github.com', 'raw.githubusercontent.com').replace('/edit', '')) .then((res) => setPathExist(res.status !== 404)) .finally(() => setIsLoading(false)); }, []); const edit = useCallback(() => { -let path = getPath(); +const path = getPath(); + if (!pathExist) { - const pathArr = path.replace('edit', 'new').split('/'); - pathArr[pathArr.length - 1] = `?filename=${pathArr.at(-1)}`; - path = pathArr.join('/'); Review Comment: Yes. Sorry for replying so late. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Fix: Added redirection to GitHub index when no hash present [apisix-website]
SkyeYoung commented on code in PR #1789: URL: https://github.com/apache/apisix-website/pull/1789#discussion_r1590493465 ## doc/src/pages/edit.tsx: ## @@ -20,18 +22,26 @@ const Edit: FC = () => { const path = getPath(); setIsLoading(true); + +if (path === '' || !path.includes('https://github.com/apache')) { + setPathExist(false); + setIsLoading(false); + return; +} + fetch(path.replace('github.com', 'raw.githubusercontent.com').replace('/edit', '')) .then((res) => setPathExist(res.status !== 404)) .finally(() => setIsLoading(false)); }, []); const edit = useCallback(() => { -let path = getPath(); +const path = getPath(); + if (!pathExist) { - const pathArr = path.replace('edit', 'new').split('/'); - pathArr[pathArr.length - 1] = `?filename=${pathArr.at(-1)}`; - path = pathArr.join('/'); Review Comment: yes -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Fix: Added redirection to GitHub index when no hash present [apisix-website]
SkyeYoung commented on code in PR #1789: URL: https://github.com/apache/apisix-website/pull/1789#discussion_r1590493376 ## doc/src/pages/edit.tsx: ## @@ -20,18 +22,26 @@ const Edit: FC = () => { const path = getPath(); setIsLoading(true); + +if (path === '' || !path.includes('https://github.com/apache')) { + setPathExist(false); + setIsLoading(false); + return; +} Review Comment: I think it's okay. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
(apisix-website) branch master updated: docs: fix tag of cve-2024-32638.md (#1796)
This is an automated email from the ASF dual-hosted git repository. bzp2010 pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/apisix-website.git The following commit(s) were added to refs/heads/master by this push: new 26173097885 docs: fix tag of cve-2024-32638.md (#1796) 26173097885 is described below commit 261730978851752dccdea86c9636924067a7e0a0 Author: Yilia Lin <114121331+yilial...@users.noreply.github.com> AuthorDate: Mon May 6 10:25:50 2024 +0800 docs: fix tag of cve-2024-32638.md (#1796) --- blog/en/blog/2024/05/02/cve-2024-32638.md | 19 ++- blog/zh/blog/2024/05/02/cve-2024-32638.md | 15 --- 2 files changed, 18 insertions(+), 16 deletions(-) diff --git a/blog/en/blog/2024/05/02/cve-2024-32638.md b/blog/en/blog/2024/05/02/cve-2024-32638.md index 116afd76b72..6eca3c0c72f 100644 --- a/blog/en/blog/2024/05/02/cve-2024-32638.md +++ b/blog/en/blog/2024/05/02/cve-2024-32638.md @@ -1,31 +1,32 @@ --- -title: "Forward-Auth Plugin Request Smuggling( CVE-2024-32638 )" +title: "HTTP Request Smuggling in forward-auth Plugin (CVE-2024-32638)" keywords: - Vulnerability - forward-auth - Smuggling -description: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in Apache APISIX when using `forward-auth` plugin. -tags: [Security] +description: Enabling the `forward-auth` plugin allows Apache APISIX to trigger illegal requests (HTTP Request Smuggling), resulting in a security vulnerability. +tags: [Vulnerabilities] +image: https://static.apiseven.com/uploads/2024/05/06/Wq940JRt_CVE-2024-32638.png --- -> In APISIX 3.8.0, 3.9.0, there is a problem of HTTP Request Smuggling caused by the `forward-auth` plugin. +> For APISIX versions 3.8.0 and 3.9.0, enabling the forward-auth plugin allows APISIX to trigger illegal requests (HTTP Request Smuggling). ## Problem Description -Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in Apache APISIX when using `forward-auth` plugin. +Enabling the `forward-auth` plugin allows Apache APISIX to trigger illegal requests (HTTP Request Smuggling), resulting in a security vulnerability. ## Affected Versions -This issue affects Apache APISIX: from 3.8.0, 3.9.0 . +This issue affects Apache APISIX versions: 3.8.0 and 3.9.0. ## Solution -If you are using version 3.8.0, 3.9.0, highly recommended to upgrade to version 3.8.1, 3.9.1 or higher, which fixes the issue. +For Apache APISIX users using versions 3.8.0 and 3.9.0, it is recommended to upgrade to versions 3.8.1, 3.9.1, or higher, in which the issue is fixed. ## Vulnerability details -Severity:low +Severity: Low Vulnerability public date: May 2, 2024 @@ -33,4 +34,4 @@ CVE details: https://nvd.nist.gov/vuln/detail/CVE-2024-32638 ## Contributor Profile -Discovered and reported by Brandon Arp and Bruno Green of Topsort. Thank you for your contribution to the Apache APISIX community. +This vulnerability was discovered and reported by Brandon Arp and Bruno Green from Topsort. Thank you for your contribution to the Apache APISIX community. diff --git a/blog/zh/blog/2024/05/02/cve-2024-32638.md b/blog/zh/blog/2024/05/02/cve-2024-32638.md index f9c746832d5..66bfe5becbd 100644 --- a/blog/zh/blog/2024/05/02/cve-2024-32638.md +++ b/blog/zh/blog/2024/05/02/cve-2024-32638.md @@ -1,23 +1,24 @@ --- -title: "Forward-Auth 插件能够发出非法 Smuggling 请求 ( CVE-2024-32638 )" +title: "Forward-Auth 插件能够发出非法 Smuggling 请求 (CVE-2024-32638)" keywords: - 安全漏洞 - forward-auth - Smuggling -description: 使用 “forward-auth” 插件时,Apache APISIX 能够发出 HTTP 非法请求(“HTTP Request Smuggling”)导致安全漏洞 -tags: [Security] +description: 使用 `forward-auth` 插件时,Apache APISIX 能够发出 HTTP 非法请求(HTTP Request Smuggling)导致安全漏洞 +tags: [Vulnerabilities] +image: https://static.apiseven.com/uploads/2024/05/06/Wq940JRt_CVE-2024-32638.png --- -> 对于 APISIX 3.8.0, 3.9.0 版本,启用 “forward-auth” 插件时,APISIX 能够发出非法请求(HTTP Request Smuggling)。 +> 对于 APISIX 3.8.0, 3.9.0 版本,启用 `forward-auth` 插件时,APISIX 能够发出非法请求(HTTP Request Smuggling)。 ## 问题描述 -启用 “forward-auth” 插件时,APISIX 能够发出非法请求(HTTP Request Smuggling)导致安全漏洞。 +启用 `forward-auth` 插件时,APISIX 能够发出非法请求(HTTP Request Smuggling)导致安全漏洞。 ## 影响版本 -该风险会影响 Apache APISIX `3.8.0` 和 `3.9.0` 两版本。 +该风险会影响 Apache APISIX `3.8.0` 和 `3.9.0` 两个版本。 ## 解决方案 @@ -33,4 +34,4 @@ CVE 详细信息:https://nvd.nist.gov/vuln/detail/CVE-2024-32638 ## 贡献者简介 -该漏洞有来自 Topsort 公司的 Brandon Arp 和 Bruno Green 发现并报告。感谢各位对 Apache APISIX 社区的贡献。 +该漏洞由来自 Topsort 公司的 Brandon Arp 和 Bruno Green 发现并报告。感谢各位对 Apache APISIX 社区的贡献。
Re: [PR] docs: fix tag of cve-2024-32638.md [apisix-website]
bzp2010 merged PR #1796: URL: https://github.com/apache/apisix-website/pull/1796 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [I] bug: apisix can not build connection with go-runner plugin on mac [apisix]
swallretu commented on issue #11170: URL: https://github.com/apache/apisix/issues/11170#issuecomment-2095082126 after checked some docs, this issus can not fix on Mac when starting apisix in docker. that because the docker and Mac network settings. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [I] help request: apisix pod cpu is full,but There's no obvious reason [apisix]
yydance closed issue #11154: help request: apisix pod cpu is full,but There's no obvious reason URL: https://github.com/apache/apisix/issues/11154 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [I] bug: apisix can not build connection with go-runner plugin on mac [apisix]
swallretu closed issue #11170: bug: apisix can not build connection with go-runner plugin on mac URL: https://github.com/apache/apisix/issues/11170 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] docs: fix tag of cve-2024-32638.md [apisix-website]
membphis commented on code in PR #1796: URL: https://github.com/apache/apisix-website/pull/1796#discussion_r1590479433 ## blog/en/blog/2024/05/02/cve-2024-32638.md: ## @@ -1,36 +1,37 @@ --- -title: "Forward-Auth Plugin Request Smuggling( CVE-2024-32638 )" +title: "HTTP Request Smuggling in forward-auth Plugin (CVE-2024-32638)" keywords: - Vulnerability - forward-auth - Smuggling -description: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in Apache APISIX when using `forward-auth` plugin. -tags: [Security] +description: Enabling the `forward-auth` plugin allows Apache APISIX to trigger illegal requests (HTTP Request Smuggling), resulting in a security vulnerability. +tags: [Vulnerabilities] +image: https://static.apiseven.com/uploads/2024/05/06/Wq940JRt_CVE-2024-32638.png --- -> In APISIX 3.8.0, 3.9.0, there is a problem of HTTP Request Smuggling caused by the `forward-auth` plugin. +> For APISIX versions 3.8.0 and 3.9.0, enabling the forward-auth plugin allows APISIX to trigger illegal requests (HTTP Request Smuggling). ## Problem Description -Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in Apache APISIX when using `forward-auth` plugin. +Enabling the `forward-auth` plugin allows Apache APISIX to trigger illegal requests (HTTP Request Smuggling), resulting in a security vulnerability. ## Affected Versions -This issue affects Apache APISIX: from 3.8.0, 3.9.0 . +This risk affects Apache APISIX versions: 3.8.0 and 3.9.0. Review Comment: I think `issue` or `vulnerability` is acceptable here -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[PR] docs: fix tag of cve-2024-32638.md [apisix-website]
Yilialinn opened a new pull request, #1796: URL: https://github.com/apache/apisix-website/pull/1796 Fixes: #[Add issue number here] Changes: Screenshots of the change: -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [I] docs: Is there any plan for Chinese documentation? [apisix-ingress-controller]
github-actions[bot] commented on issue #2116: URL: https://github.com/apache/apisix-ingress-controller/issues/2116#issuecomment-2095049655 This issue has been marked as stale due to 90 days of inactivity. It will be closed in 30 days if no further activity occurs. If this issue is still relevant, please simply write any comment. Even if closed, you can still revive the issue at any time or discuss it on the d...@apisix.apache.org list. Thank you for your contributions. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
(apisix-website) branch master updated: docs: add CVE-2024-32638 post (#1795)
This is an automated email from the ASF dual-hosted git repository. membphis pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/apisix-website.git The following commit(s) were added to refs/heads/master by this push: new f8d090ce58b docs: add CVE-2024-32638 post (#1795) f8d090ce58b is described below commit f8d090ce58b1557e3922444623557f3f7e71c8ac Author: YuanSheng Wang AuthorDate: Mon May 6 09:07:58 2024 +0800 docs: add CVE-2024-32638 post (#1795) --- blog/en/blog/2024/05/02/cve-2024-32638.md | 36 +++ blog/zh/blog/2024/05/02/cve-2024-32638.md | 36 +++ 2 files changed, 72 insertions(+) diff --git a/blog/en/blog/2024/05/02/cve-2024-32638.md b/blog/en/blog/2024/05/02/cve-2024-32638.md new file mode 100644 index 000..116afd76b72 --- /dev/null +++ b/blog/en/blog/2024/05/02/cve-2024-32638.md @@ -0,0 +1,36 @@ +--- +title: "Forward-Auth Plugin Request Smuggling( CVE-2024-32638 )" +keywords: +- Vulnerability +- forward-auth +- Smuggling +description: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in Apache APISIX when using `forward-auth` plugin. +tags: [Security] +--- + +> In APISIX 3.8.0, 3.9.0, there is a problem of HTTP Request Smuggling caused by the `forward-auth` plugin. + + +## Problem Description + +Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in Apache APISIX when using `forward-auth` plugin. + +## Affected Versions + +This issue affects Apache APISIX: from 3.8.0, 3.9.0 . + +## Solution + +If you are using version 3.8.0, 3.9.0, highly recommended to upgrade to version 3.8.1, 3.9.1 or higher, which fixes the issue. + +## Vulnerability details + +Severity:low + +Vulnerability public date: May 2, 2024 + +CVE details: https://nvd.nist.gov/vuln/detail/CVE-2024-32638 + +## Contributor Profile + +Discovered and reported by Brandon Arp and Bruno Green of Topsort. Thank you for your contribution to the Apache APISIX community. diff --git a/blog/zh/blog/2024/05/02/cve-2024-32638.md b/blog/zh/blog/2024/05/02/cve-2024-32638.md new file mode 100644 index 000..f9c746832d5 --- /dev/null +++ b/blog/zh/blog/2024/05/02/cve-2024-32638.md @@ -0,0 +1,36 @@ +--- +title: "Forward-Auth 插件能够发出非法 Smuggling 请求 ( CVE-2024-32638 )" +keywords: +- 安全漏洞 +- forward-auth +- Smuggling +description: 使用 “forward-auth” 插件时,Apache APISIX 能够发出 HTTP 非法请求(“HTTP Request Smuggling”)导致安全漏洞 +tags: [Security] +--- + +> 对于 APISIX 3.8.0, 3.9.0 版本,启用 “forward-auth” 插件时,APISIX 能够发出非法请求(HTTP Request Smuggling)。 + + +## 问题描述 + +启用 “forward-auth” 插件时,APISIX 能够发出非法请求(HTTP Request Smuggling)导致安全漏洞。 + +## 影响版本 + +该风险会影响 Apache APISIX `3.8.0` 和 `3.9.0` 两版本。 + +## 解决方案 + +对于正在使用 3.8.0,3.9.0 的 Apache APISIX 用户,推荐升级到 3.8.1,3.9.1 或更高版本。 + +## 漏洞详情 + +漏洞优先级:低 + +漏洞公开时间:2024 年 5 月 2 日 + +CVE 详细信息:https://nvd.nist.gov/vuln/detail/CVE-2024-32638 + +## 贡献者简介 + +该漏洞有来自 Topsort 公司的 Brandon Arp 和 Bruno Green 发现并报告。感谢各位对 Apache APISIX 社区的贡献。
Re: [PR] docs: add CVE-2024-32638 post [apisix-website]
membphis merged PR #1795: URL: https://github.com/apache/apisix-website/pull/1795 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org