custom-error-pages: Add an ability to disable "/metrics", "/healthz" and "/debug/vars" endpoints #9152
Comments
ucinskij
added
the
kind/feature
k8s-ci-robot
added
needs-triage
ucinskij
changed the title
|
@rikatz seems like one reason to focus on this, like you had suggested. Will do as per your advise |
|
/triage accepted |
k8s-ci-robot
added
triage/accepted
|
FYI I've just had this bug raised from a OpenBugBounty. None of the things exposed are overly sensitive here, but this does leave an operator unexpectedly exposed to any CVE related to these endpoints. They are exposed publicly and reachable from the internet as soon as someone uses the custom-error-pages container. |
|
Defaults should definitely prevent these from being reachable by the internet. Scrapeable by internal services by default, sure - but never exposed to the internet by default. |
|
Hi @strongjz, |
|
You can use my fork https://github.com/Hexcles/nginx-errors
…---
Sent from my cellphone.
On Thu, Feb 9, 2023, 02:37 ucinskij ***@***.***> wrote:
Hi @strongjz <https://github.com/strongjz>,
I don't intend to put any pressure here but perhaps you know when we could
expect this to be done? Unfortunately internal security scans within the
company reqiure an action on this from our side, the security team simply
complains too much about this.
—
Reply to this email directly, view it on GitHub
<#9152 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAK6ZDC2ZML7BVB4WTOOPNLWWSNDJANCNFSM6AAAAAAREBT76I>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
|
@ucinskij We are trying to find the best tool/practice to make sure things are getting addressed. Currently we are using the project board here to track our work and what needs to be worked on next or who is asking for feature/PR review. https://github.com/orgs/kubernetes/projects/104 All new issues get added to the board but I have not added older ones. I will add this one to the board. Another good way to keep this in our attention is to join the community meetings as well. We discuss issues, prs and open items like this to prioritize. right now we have several CVE's we are trying to remediate and get updates out for ingress-nginx, then we can look to implementing features like this. If you are interested in taking the time and implementing it, we can discuss that 1x1. Thank you, |
|
Any update on this ? |
|
I would like to work on this issue if that's OK |
The custom-error-pages backend does it job pretty well, however during a security scan it was detected that it exposes three endpoints:
/metrics/healthz/debug/vars/metricsand/healthzare implemented byingress-nginx/images/custom-error-pages/rootfs/main.go
Line 78 in 499dbf5
/debug/varsat a first sight seems to be coming withgithub.com/prometheus/client_golangwhich includesexpvar: https://pkg.go.dev/expvarEspecially the first and last ones expose information that might be considered as 'sensitive' by some organizations. Hence why I would like to ask for a feature toggle that would allow to disable those endpoints. It is to be considered if those should be exposed by default or not.
The text was updated successfully, but these errors were encountered: