Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

auth-url does not accept url query encoded characters #12881

Open
Maescool opened this issue Feb 21, 2025 · 3 comments
Open

auth-url does not accept url query encoded characters #12881

Maescool opened this issue Feb 21, 2025 · 3 comments
Labels
kind/bug Categorizes issue or PR as related to a bug. needs-priority triage/accepted Indicates an issue or PR is ready to be actively worked on.

Comments

@Maescool
Copy link

What happened: when adding url query encoded parameters, like %2C (,) or %40 (@)
example:
nginx.ingress.kubernetes.io/auth-url: https://auth.example.com/oauth2/auth?allowed_emails=example%40example.com%2Cmoo%40example.com

What you expected to happen:
This to be accepted, as it was 2y ago.

The Validator was added without all edge cases (as I see fixes to add ',' and '@')

NGINX Ingress controller version (exec into the pod and run /nginx-ingress-controller --version):

NGINX Ingress controller
Release: v1.12.0
Build: ba73b2c
Repository: https://github.com/kubernetes/ingress-nginx
nginx version: nginx/1.25.5

Kubernetes version (use kubectl version):
Client Version: v1.31.5+rke2r1
Kustomize Version: v5.4.2
Server Version: v1.31.5+rke2r1

Environment:

  • Cloud provider or hardware configuration: hetzner ax52

  • OS (e.g. from /etc/os-release): ubuntu 24.04

  • Kernel (e.g. uname -a): Linux access 6.8.0-52-generic Bump up glbc version to match release #55-Ubuntu SMP PREEMPT_DYNAMIC Fri Jan 17 15:37:52 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

  • Install tools:

    • RKE2

  • Basic cluster related info:

    • kubectl version
      Client Version: v1.31.5+rke2r1
      Kustomize Version: v5.4.2
      Server Version: v1.31.5+rke2r1

    • kubectl get nodes -o wide
      3 control plane nodes, 5 workers

  • How was the ingress-nginx-controller installed:

    • If helm was used then please show output of helm ls -A | grep -i ingress
      nginx-ingress-internal nginx-internal 1 2025-02-18 03:54:38.030077783 +0000 UTC deployed ingress-nginx-4.12.0 1.12.0

    • If helm was used then please show output of helm -n <ingresscontrollernamespace> get values <helmreleasename>

    • If helm was not used, then copy/paste the complete precise command used to install the controller, along with the flags and options used

    • if you have more than one instance of the ingress-nginx-controller installed in the same cluster, please provide details for all the instances

  • Current State of the controller:

    • kubectl describe ingressclasses
    • kubectl -n <ingresscontrollernamespace> get all -A -o wide
    • kubectl -n <ingresscontrollernamespace> describe po <ingresscontrollerpodname>
    • kubectl -n <ingresscontrollernamespace> describe svc <ingresscontrollerservicename>

  • Current state of ingress object, if applicable:

    • kubectl -n <appnamespace> get all,ing -o wide
    • kubectl -n <appnamespace> describe ing <ingressname>
    • If applicable, then, your complete and exact curl/grpcurl command (redacted if required) and the reponse to the curl/grpcurl command with the -v flag

  • Others:

    • Any other related information like ;
      • copy/paste of the snippet (if applicable)
      • kubectl describe ... of any custom configmap(s) created and in use
      • Any other related information that may help

How to reproduce this issue:

echo "
  apiVersion: networking.k8s.io/v1
  kind: Ingress
  metadata:
    name: foo-bar
    annotations:
      kubernetes.io/ingress.class: nginx
      nginx.ingress.kubernetes.io/auth-signin: https://auth.example.com/oauth2/start?rd=https%3A%2F%2F$http_host$escaped_request_uri
      nginx.ingress.kubernetes.io/auth-url: https://auth.example.com/oauth2/auth?allowed_emails=example%40example.com%2Cmoo%40example.com
  spec:
    ingressClassName: nginx # omit this if you're on controller version below 1.0.0
    rules:
    - host: foo.bar
      http:
        paths:
        - path: /
          pathType: Prefix
          backend:
            service:
              name: http-svc
              port: 
                number: 80
" | kubectl apply -f -

Anything else we need to know:

This bug is additional to #12626 and #11739
@Maescool Maescool added the kind/bug Categorizes issue or PR as related to a bug. label Feb 21, 2025
@k8s-ci-robot k8s-ci-robot added needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority labels Feb 21, 2025
@longwuyuan
Copy link
Contributor

I think there is a catch22 sitution where not allowing these cases breaks functionality and allowing the chars opens up the possibilities of misuse and insecure controller.

Please wait for comments from others.

@Gacko @strongjz

/triage accepted

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Feb 22, 2025
@frittentheke
Copy link

This seems also similar to #12822 which is about URL validations not following RFCs to what is allowed syntax.

@Maescool
Copy link
Author

Maescool commented Mar 1, 2025

Also additionally, had to update the auth-signin url and remove the https%3A%2F%2F$http_host for it to work, which now breaks auth flow to a 404 on the auth proxy, instead of properly redirecting back to the app.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. needs-priority triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
[SIG Network] Ingress NGINX
Status: No status
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Maescool @longwuyuan @frittentheke @k8s-ci-robot