New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Watcher: Add URL whitelist #29937
Labels
Comments
spinscale
added a commit
to spinscale/elasticsearch
that referenced
this issue
Dec 19, 2018
This adds a configurable whitelist to the HTTP client in watcher. By default it allows everything is does not, but there is a dynamically configurable setting named "xpack.http.hosts.whitelist" that allows to configure an array of hosts, which can also contain simple regexes. TODO: - Should we match against a host list or really against URLs? Right now you cannot filter http vs https which might be quite the feature - fix the code TODO and cast properly - Is a blacklist needed on top of a whitelist? - Should we block certain things by default as mentioned in the issue? Closes elastic#29937
spinscale
added a commit
to spinscale/elasticsearch
that referenced
this issue
Dec 19, 2018
This adds a configurable whitelist to the HTTP client in watcher. By default it allows everything is does not, but there is a dynamically configurable setting named "xpack.http.hosts.whitelist" that allows to configure an array of hosts, which can also contain simple regexes. TODO: - Should we match against a host list or really against URLs? Right now you cannot filter http vs https which might be quite the feature - fix the code TODO and cast properly - Is a blacklist needed on top of a whitelist? - Should we block certain things by default as mentioned in the issue? Closes elastic#29937
5 tasks
spinscale
added a commit
that referenced
this issue
Jan 11, 2019
This adds a configurable whitelist to the HTTP client in watcher. By default every URL is allowed to retain BWC. A dynamically configurable setting named "xpack.http.whitelist" was added that allows to configure an array of URLs, which can also contain simple regexes. Closes #29937
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Original comment by @clintongormley:
Watcher can perform searches as the watch user then post the results to any http endpoint. We should tighten up the security here by adding a URL whitelist.
A blacklist that overwrites a whitelist might be a good idea on top of that. On top of that we have to make sure that redirects are handled properly. Those lists might just be regular expressions that match the URLs.
Ideally those settings should be dynamically updateable.
SSRF might also be an issue (which make sense to block localhost and
169.254.*
)The text was updated successfully, but these errors were encountered: