OCPBUGS-36652: Added checks on the Request URL that is passed

[Lucifergene]

trafficstars

This pull request introduces significant improvements to the SSRF (Server-Side Request Forgery) protection in the pkg/devconsole/proxy package. The changes include adding a validation function for request URLs, updating error messages for consistency, and enhancing the test coverage for the new validation logic.

SSRF Protection Enhancements:

• pkg/devconsole/proxy/proxy.go: Added a new validation step to check the request URL for SSRF vulnerabilities before processing the request.

Code Consistency:

• pkg/devconsole/proxy/proxy.go: Updated error messages to use consistent capitalization for better readability.

Test Coverage Improvements:

• pkg/devconsole/proxy/ssrf_test.go: Introduced new test cases to verify the behavior of the validateRequestURL function, covering various valid and invalid URL scenarios.
• pkg/devconsole/proxy/proxy_test.go: Updated existing test cases to use a real URL and replaced the mocked response body with a realistic API response. [1] [2] [3] [4]

Utility Functions:

• pkg/devconsole/proxy/ssrf_utils.go: Added utility functions for URL validation, including checks for allowed URLs, private IPs, public IPs, and DNS rebinding protection.

[openshift-ci-robot]

@Lucifergene: An error was encountered searching for bug OCPBUGS-36652 on the Jira server at https://issues.redhat.com/. No known errors were detected, please see the full error message for details.

Full error message.

You do not have the permission to see the specified issue.: request failed. Please analyze the request body for more details. Status code: 403:

Please contact an administrator to resolve this issue, then request a bug refresh with /jira refresh.

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@Lucifergene: An error was encountered searching for bug OCPBUGS-36652 on the Jira server at https://issues.redhat.com/. No known errors were detected, please see the full error message for details.

Full error message.

You do not have the permission to see the specified issue.: request failed. Please analyze the request body for more details. Status code: 403:

Please contact an administrator to resolve this issue, then request a bug refresh with /jira refresh.

In response to this:

This pull request introduces SSRF (Server-Side Request Forgery) protection in the pkg/devconsole/proxy package. The most important changes include adding a URL validation function, updating the serve function to use this validation, and adding tests for the new functionality.

SSRF Protection Implementation:

• pkg/devconsole/proxy/proxy.go: Added URL validation to the serve function to prevent SSRF attacks.
• pkg/devconsole/proxy/ssrf_utils.go: Implemented the validateRequestURL function and supporting utilities to check for private IPs, resolve hostnames, and ensure URLs are safe.

Code Quality Improvements:

• pkg/devconsole/proxy/proxy.go: Standardized error message formatting for consistency.

Testing:

• pkg/devconsole/proxy/ssrf_test.go: Added a comprehensive set of tests for the validateRequestURL function to ensure it correctly identifies valid and invalid URLs.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[Lucifergene]

/cc @vikram-raj @lokanandaprabhu

[openshift-ci[bot]]

@Lucifergene: GitHub didn't allow me to request PR reviews from the following users: christoph-jerolimov.

Note that only openshift members and repo collaborators can review this PR, and authors cannot review their own PRs.

In response to this:

/cc @christoph-jerolimov @vikram-raj @lokanandaprabhu

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci-robot]

@Lucifergene: An error was encountered searching for bug OCPBUGS-36652 on the Jira server at https://issues.redhat.com/. No known errors were detected, please see the full error message for details.

Full error message.

You do not have the permission to see the specified issue.: request failed. Please analyze the request body for more details. Status code: 403:

Please contact an administrator to resolve this issue, then request a bug refresh with /jira refresh.

In response to this:

This pull request introduces significant improvements to the SSRF (Server-Side Request Forgery) protection in the pkg/devconsole/proxy package. The changes include adding a validation function for request URLs, updating error messages for consistency, and enhancing the test coverage for the new validation logic.

SSRF Protection Enhancements:

• pkg/devconsole/proxy/proxy.go: Added a new validation step to check the request URL for SSRF vulnerabilities before processing the request.

Code Consistency:

• pkg/devconsole/proxy/proxy.go: Updated error messages to use consistent capitalization for better readability.

Test Coverage Improvements:

• pkg/devconsole/proxy/ssrf_test.go: Introduced new test cases to verify the behavior of the validateRequestURL function, covering various valid and invalid URL scenarios.
• pkg/devconsole/proxy/proxy_test.go: Updated existing test cases to use a real URL and replaced the mocked response body with a realistic API response. [1] [2] [3] [4]

Utility Functions:

• pkg/devconsole/proxy/ssrf_utils.go: Added utility functions for URL validation, including checks for allowed URLs, private IPs, public IPs, and DNS rebinding protection.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[Lucifergene]

/label tide/merge-method-squash

[Lucifergene]

/cc @christoph-jerolimov

[openshift-ci-robot]

@Lucifergene: This pull request references Jira Issue OCPBUGS-36652, which is invalid:

• expected the bug to target either version "4.19." or "openshift-4.19.", but it targets "4.17.z" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

Jira Task: https://issues.redhat.com/browse/ODC-7764

Removed the common devconsole proxy.

Created 6 new endpoints:

Artifacthub POST /api/dev-console/artifacthub/search POST /api/dev-console/artifacthub/get POST /api/dev-console/artifacthub/yaml Tekton-results POST /api/dev-console/tekton-results/get POST /api/dev-console/tekton-results/logs POST /api/dev-console/tekton-results/summary

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@Lucifergene: This pull request references ODC-7764 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.19.0" version, but no target version was set.

In response to this:

Jira Task: https://issues.redhat.com/browse/ODC-7764

Removed the common devconsole proxy.

Created 6 new endpoints:

1. Artifacthub

• POST /api/dev-console/artifacthub/search
• POST /api/dev-console/artifacthub/get
• POST /api/dev-console/artifacthub/yaml

2. Tekton-results

• POST /api/dev-console/tekton-results/get
• POST /api/dev-console/tekton-results/logs
• POST /api/dev-console/tekton-results/summary

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[vikram-raj]

/retest

[vikram-raj]

@Lucifergene, the Tekton results endpoint /API/dev-console/tekton-results/get is failing with a 500 error. It looks like you are looking for the route, but in a cluster, the request should go through the service instead of the route.

Check out how we were creating the endpoint for the service

https://github.com/openshift-pipelines/console-plugin/blob/f456a5fa884c04ba11355ece3eabdc20f9bacffa/src/components/utils/tekton-results.ts#L239

[openshift-ci-robot]

@Lucifergene: This pull request references ODC-7764 which is a valid jira issue.

In response to this:

Jira Task: https://issues.redhat.com/browse/ODC-7764

Removed the common devconsole proxy.

Created 6 new endpoints:

1. Artifacthub

• POST /api/dev-console/artifacthub/search
• POST /api/dev-console/artifacthub/get
• POST /api/dev-console/artifacthub/yaml

2. Tekton-results

• POST /api/dev-console/tekton-results/get
• POST /api/dev-console/tekton-results/logs
• POST /api/dev-console/tekton-results/summary

3. Webhooks

• POST /api/dev-console/webhooks/github
• POST /api/dev-console/webhooks/gitlab
• POST /api/dev-console/webhooks/bitbucket

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[vikram-raj]

/retest

[vikram-raj]

/retitle OCPBUGS-36652: Remove the Backend Common Proxy and Replace it with Dedicated ones

[openshift-ci-robot]

@Lucifergene: This pull request references Jira Issue OCPBUGS-36652, which is invalid:

• expected the bug to target either version "4.19." or "openshift-4.19.", but it targets "4.17.z" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

Jira Task: https://issues.redhat.com/browse/ODC-7764

Removed the common devconsole proxy.

Created 6 new endpoints:

1. Artifacthub

• POST /api/dev-console/artifacthub/search
• POST /api/dev-console/artifacthub/get
• POST /api/dev-console/artifacthub/yaml

2. Tekton-results

• POST /api/dev-console/tekton-results/get
• POST /api/dev-console/tekton-results/logs
• POST /api/dev-console/tekton-results/summary

3. Webhooks

• POST /api/dev-console/webhooks/github
• POST /api/dev-console/webhooks/gitlab
• POST /api/dev-console/webhooks/bitbucket

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[vikram-raj]

/jira refresh

[openshift-ci-robot]

@vikram-raj: This pull request references Jira Issue OCPBUGS-36652, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.19.0) matches configured target version for branch (4.19.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact: /cc @yapei

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[vikram-raj]

/retest

[openshift-ci[bot]]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: lokanandaprabhu, Lucifergene, spadgett

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• ~~cmd/OWNERS~~ [spadgett]
• ~~frontend/OWNERS~~ [spadgett]
• ~~pkg/OWNERS~~ [spadgett]

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

[vikram-raj]

/unhold

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD cd08e7307ab337e85bdb58a9d984aa5b47103d59 and 2 for PR HEAD a997cb05e872fc440c2aba0b5e856c785e105520 in total

[vikram-raj]

/retest

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD cd08e7307ab337e85bdb58a9d984aa5b47103d59 and 2 for PR HEAD a997cb05e872fc440c2aba0b5e856c785e105520 in total

[invincibleJai]

/retest

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD cd08e7307ab337e85bdb58a9d984aa5b47103d59 and 2 for PR HEAD a997cb05e872fc440c2aba0b5e856c785e105520 in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 93605f1c7063a5f48c72f8610509435892d9f659 and 1 for PR HEAD a997cb05e872fc440c2aba0b5e856c785e105520 in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 93605f1c7063a5f48c72f8610509435892d9f659 and 2 for PR HEAD a997cb05e872fc440c2aba0b5e856c785e105520 in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 7a9c456b332fe0f3298604c1215ca8c83e9fdeaf and 1 for PR HEAD a997cb05e872fc440c2aba0b5e856c785e105520 in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 57a4cdec7c9b5c24481efc279794f2208cc25c74 and 0 for PR HEAD a997cb05e872fc440c2aba0b5e856c785e105520 in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 57a4cdec7c9b5c24481efc279794f2208cc25c74 and 2 for PR HEAD a997cb05e872fc440c2aba0b5e856c785e105520 in total