Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Watcher: Add URL whitelist #29937

Closed
elasticmachine opened this issue May 9, 2017 · 0 comments · Fixed by #36817
Closed

Watcher: Add URL whitelist #29937

elasticmachine opened this issue May 9, 2017 · 0 comments · Fixed by #36817
Labels
:Data Management/Watcher >enhancement help wanted adoptme

Comments

@elasticmachine
Copy link
Collaborator

Original comment by @clintongormley:

Watcher can perform searches as the watch user then post the results to any http endpoint. We should tighten up the security here by adding a URL whitelist.

A blacklist that overwrites a whitelist might be a good idea on top of that. On top of that we have to make sure that redirects are handled properly. Those lists might just be regular expressions that match the URLs.

Ideally those settings should be dynamically updateable.

SSRF might also be an issue (which make sense to block localhost and 169.254.*)
@spinscale spinscale mentioned this issue Nov 2, 2018
Closed
spinscale added a commit to spinscale/elasticsearch that referenced this issue Dec 19, 2018
@spinscale
Watcher: Add whitelist to HttpClient
b178c62 
This adds a configurable whitelist to the HTTP client in watcher. By
default it allows everything is does not, but there is a dynamically
configurable setting named "xpack.http.hosts.whitelist" that allows to
configure an array of hosts, which can also contain simple regexes.

TODO:
- Should we match against a host list or really against URLs? Right now
you cannot filter http vs https which might be quite the feature
- fix the code TODO and cast properly
- Is a blacklist needed on top of a whitelist?
- Should we block certain things by default as mentioned in the issue?

Closes elastic#29937
spinscale added a commit to spinscale/elasticsearch that referenced this issue Dec 19, 2018
@spinscale
Watcher: Add whitelist to HttpClient
8c4d234 
This adds a configurable whitelist to the HTTP client in watcher. By
default it allows everything is does not, but there is a dynamically
configurable setting named "xpack.http.hosts.whitelist" that allows to
configure an array of hosts, which can also contain simple regexes.

TODO:
- Should we match against a host list or really against URLs? Right now
you cannot filter http vs https which might be quite the feature
- fix the code TODO and cast properly
- Is a blacklist needed on top of a whitelist?
- Should we block certain things by default as mentioned in the issue?

Closes elastic#29937
@spinscale spinscale mentioned this issue Dec 19, 2018
Merged
5 tasks
spinscale added a commit that referenced this issue Jan 11, 2019
@spinscale
Add whitelist to watcher HttpClient (#36817)
bbd0930 
This adds a configurable whitelist to the HTTP client in watcher. By
default every URL is allowed to retain BWC. A dynamically configurable
setting named "xpack.http.whitelist" was added that allows to
configure an array of URLs, which can also contain simple regexes.

Closes #29937
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
:Data Management/Watcher >enhancement help wanted adoptme
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Watcher: Add whitelist to HttpClient spinscale/elasticsearch
1 participant
@elasticmachine