Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refuse recursive requests (CVE-2023-47633) #10242

Merged
merged 8 commits into from Nov 21, 2023
Merged

Refuse recursive requests (CVE-2023-47633) #10242

merged 8 commits into from Nov 21, 2023

Conversation

rtribotte
Copy link
Member

What does this PR do?

This PR introduces an internal middleware that is automatically appended to the default rule's routers, to stop request recursion on Traefik.

Motivation

The exposure of the Traefik container combined with the default rule mechanism can lead to create a router targeting itself in a loop.
In this case, to prevent an infinite loop, Traefik adds an internal middleware to refuse the request if already been passed by the same router.

More

  • Added/updated tests
  • Added/updated documentation

Additional Notes

Co-authored-by: Michael michael.matur@gmail.com

@rtribotte rtribotte added this to the 2.10 milestone Nov 15, 2023
ldez
ldez requested changes Nov 15, 2023
View reviewed changes
pkg/config/dynamic/http_config.go Outdated Show resolved Hide resolved
@mloiseleur mloiseleur requested a review from ldez November 16, 2023 09:14
kevinpollet
kevinpollet requested changes Nov 17, 2023
View reviewed changes
pkg/middlewares/loopstop/loop_stop.go Outdated Show resolved Hide resolved
pkg/middlewares/loopstop/loop_stop.go Outdated Show resolved Hide resolved
pkg/middlewares/loopstop/loop_stop.go Outdated Show resolved Hide resolved
pkg/middlewares/loopstop/loop_stop.go Outdated Show resolved Hide resolved
pkg/middlewares/loopstop/loop_stop_test.go Outdated Show resolved Hide resolved
pkg/middlewares/loopstop/loop_stop_test.go Outdated Show resolved Hide resolved
pkg/middlewares/loopstop/loop_stop.go Outdated Show resolved Hide resolved
juliens
juliens approved these changes Nov 20, 2023
View reviewed changes
Copy link
Member

@juliens juliens left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

lbenguigui
lbenguigui approved these changes Nov 20, 2023
View reviewed changes
Copy link
Contributor

@lbenguigui lbenguigui left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

kevinpollet
kevinpollet approved these changes Nov 20, 2023
View reviewed changes
Copy link
Member

@kevinpollet kevinpollet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@traefiker traefiker merged commit 186e3e1 into traefik:v2.10 Nov 21, 2023
9 checks passed
@nmengin nmengin changed the title Refuse recursive requests Refuse recursive requests (CVE-2023-47633) Nov 29, 2023
@rtribotte rtribotte mentioned this pull request Nov 29, 2023
Merged
2 tasks
@rtribotte rtribotte deleted the refuse-recursive-requests branch March 15, 2024 14:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mmatur mmatur mmatur left review comments

@juliens juliens juliens approved these changes

@kevinpollet kevinpollet kevinpollet approved these changes

@ldez ldez ldez approved these changes

@lbenguigui lbenguigui lbenguigui approved these changes

Assignees
No one assigned
Labels
area/provider kind/bug/fix a bug fix size/L
Projects
Traefik Proxy
Status: Done
Milestone
2.10
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@rtribotte @juliens @kevinpollet @mmatur @ldez @lbenguigui @traefiker