From 9e21048c4bb743a8bb6e1396be2ff7d8a2d46115 Mon Sep 17 00:00:00 2001
From: James Blair <mail@jamesblair.net>
Date: Mon, 27 Nov 2023 21:48:50 +1300
Subject: [PATCH] Backport server: Don't follow redirects when checking peer
 urls.

It's possible that etcd server may run into SSRF situation when adding a new member. If users provide a malicious peer URL, the existing etcd members may be redirected to other unexpected internal URL when getting the new member's version.

Signed-off-by: James Blair <mail@jamesblair.net>
---
 server/etcdserver/cluster_util.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/server/etcdserver/cluster_util.go b/server/etcdserver/cluster_util.go
index 595586e2012..97b2eb8f3db 100644
--- a/server/etcdserver/cluster_util.go
+++ b/server/etcdserver/cluster_util.go
@@ -275,6 +275,9 @@ func isCompatibleWithVers(lg *zap.Logger, vers map[string]*version.Versions, loc
 func getVersion(lg *zap.Logger, m *membership.Member, rt http.RoundTripper) (*version.Versions, error) {
 	cc := &http.Client{
 		Transport: rt,
+		CheckRedirect: func(req *http.Request, via []*http.Request) error {
+			return http.ErrUseLastResponse
+		},
 	}
 	var (
 		err  error