bug: Block request method with Apisix Ingress Controller annotation #1608
Description
Issue description
After implementing the annotation k8s.apisix.apache.org/http-allow-methods and k8s.apisix.apache.org/http-block-method, the affected Apisix Route has a plugin configuration as follows:
"response-rewrite": {
"body_base64": false,
"status_code": 405,
"vars": [
[
"request_method",
"!",
"in",
[
"GET",
"POST",
"PUT",
"PATCH",
"HEAD"
]
]
]
}
The plugin is response-rewrite. This plugin just overwrites the response from the Upstream. Meaning that, any DELETE will succeed, and Apisix will just overwrite the HTTP to a 405.
Can request-validation plugin be used instead?
Related issue
Environment
- your apisix-ingress-controller version (output of apisix-ingress-controller version --long):
/ingress-apisix # /ingress-apisix/apisix-ingress-controller version --long
Version: 1.6.0
Git SHA: no-git-module
Go Version: go1.19.4
Building OS/Arch: linux/amd64
Running OS/Arch: linux/amd64
- your Kubernetes cluster version (output of kubectl version):
Client Version: v1.25.4
Kustomize Version: v4.5.7
Server Version: v1.21.14-gke.3000
- if you run apisix-ingress-controller in Bare-metal environment, also show your OS version (uname -a):
Minimal test code / Steps to reproduce
- Create an ingress using Allow http methods annotations
- Attempt to use an HTTP method that is it white listed
Actual result
curl -I -X DELETE https://my-domain.io/my-service/1
HTTP/2 405
date: Thu, 19 Jan 2023 19:11:55 GMT
content-type: application/vnd.schemaregistry.v1+json
content-length: 4
Error log
curl -I -X DELETE https://my-domain.io/my-service/1
{"error_code":40404,"message":"Subject 1 was soft deleted.Set permanent=true to delete permanently"}
Expected result
The https://my-domain.io/my-service/1 should be present since it is not possible to DELETE