Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

auto-config: relax node name validation for JWT authorization #15370

Merged
merged 2 commits into from
Nov 15, 2022
Merged

auto-config: relax node name validation for JWT authorization #15370

merged 2 commits into from
Nov 15, 2022

Conversation

kyhavlov
Copy link
Contributor

@kyhavlov kyhavlov commented Nov 14, 2022
edited
Loading

This changes the JWT authorization logic to allow all non-whitespace, non-quote characters when validating node names. Consul had previously allowed these characters in node names, until this validation was added to fix a security vulnerability with whitespace/quotes being passed to the bexpr library. This unintentionally broke node names with characters like . which aren't related to this vulnerability. This PR also adds a warning on agent startup if an invalid character is present in the node name (at some point we can consider changing this to a hard error).

@kyhavlov kyhavlov requested a review from a team as a code owner November 14, 2022 23:04
@github-actions github-actions bot added theme/config Relating to Consul Agent configuration, including reloading type/docs Documentation needs to be created/updated/clarified labels Nov 14, 2022
@kyhavlov kyhavlov force-pushed the auto-config-node-validation branch from 49080ea to e9ad458 Compare November 14, 2022 23:07
trujillo-adam
trujillo-adam reviewed Nov 14, 2022
View reviewed changes
Copy link
Contributor

@trujillo-adam trujillo-adam left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A few nits for the docs.

website/content/docs/agent/config/cli-flags.mdx Outdated Show resolved Hide resolved
trujillo-adam
trujillo-adam approved these changes Nov 14, 2022
View reviewed changes
Copy link
Contributor

@trujillo-adam trujillo-adam left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Docs look good!

kyhavlov and others added 2 commits November 14, 2022 16:08
@kyhavlov
auto-config: relax node name validation for JWT authorization
bb94711 
This changes the JWT authorization logic to allow all non-whitespace,
non-quote characters when validating node names. Consul had previously
allowed these characters in node names, until this validation was added
to fix a security vulnerability with whitespace/quotes being passed to
the `bexpr` library. This unintentionally broke node names with
characters like `.` which aren't related to this vulnerability.
@kyhavlov @trujillo-adam
Update website/content/docs/agent/config/cli-flags.mdx
b1ea94c 
Co-authored-by: trujillo-adam <[email protected]>
@kyhavlov kyhavlov force-pushed the auto-config-node-validation branch from 099c2e4 to b1ea94c Compare November 15, 2022 00:08
@hashi-derek hashi-derek merged commit f4c3e54 into main Nov 15, 2022
@hashi-derek hashi-derek deleted the auto-config-node-validation branch November 15, 2022 00:24
This was referenced Nov 15, 2022
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hashi-derek hashi-derek hashi-derek approved these changes

@trujillo-adam trujillo-adam trujillo-adam approved these changes

Assignees
No one assigned
Labels
theme/config Relating to Consul Agent configuration, including reloading type/docs Documentation needs to be created/updated/clarified
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@kyhavlov @trujillo-adam @hashi-derek