Skip to content

Forbid setting the Location and Refresh custom response headers#98129

Merged
legrego merged 3 commits intoelastic:masterfrom
legrego:chore/forbid-location-response-header
Apr 23, 2021
Merged

Forbid setting the Location and Refresh custom response headers#98129
legrego merged 3 commits intoelastic:masterfrom
legrego:chore/forbid-location-response-header

Conversation

@legrego
Copy link
Copy Markdown
Member

@legrego legrego commented Apr 23, 2021
edited
Loading

Summary

The server.customResponseHeaders allows administrators to configure a custom set of headers that the Kibana server will send with every response. We have historically not had much validation around this because we can't know all the valid use cases for this feature in advance.

Two headers that I don't see a valid need for is Location and Refresh -- setting these response headers would force the browser to redirect every response to a fixed value, which does not make a whole lot of sense.

This PR adds a deny list of headers, with Location and Refresh specified

legrego
legrego commented Apr 23, 2021
View reviewed changes
Comment thread src/core/server/http/http_config.ts Outdated
@legrego legrego marked this pull request as ready for review April 23, 2021 13:12
@legrego legrego requested a review from a team as a code owner April 23, 2021 13:12
@legrego legrego requested a review from jportner April 23, 2021 13:12
pgayvallet
pgayvallet approved these changes Apr 23, 2021
View reviewed changes
Comment thread src/core/server/http/http_config.ts Outdated
@jportner
Copy link
Copy Markdown
Contributor

jportner commented Apr 23, 2021

I tried several ways to circumvent this restriction:

  • Adding the location header with different suffixes (:, ., -, etc)
  • Adding the location header with different prefixes
  • HTTP response splitting with CRLF characters (reference)

All of these attempts were unsuccessful because Node is pretty strict with HTTP header key/value validation (https://github.com/nodejs/node/blob/ee9e2a2eb6143fa7b4b1454f7aed009a8703d4d7/lib/_http_common.js#L214-L233 via https://github.com/nodejs/node/blob/ee9e2a2eb6143fa7b4b1454f7aed009a8703d4d7/lib/_http_outgoing.js#L556-L570).

However, I did find one alternative way to control where the browser goes:

server.customResponseHeaders:
  refresh: "0; URL=https://example.com"

So I think this denylist approach will work, but perhaps we should take a step back and evaluate all HTTP response headers. At a minimum it sounds like we will need to have location and refresh in the denylist.

@legrego
Copy link
Copy Markdown
Member Author

legrego commented Apr 23, 2021

So I think this denylist approach will work, but perhaps we should take a step back and evaluate all HTTP response headers. At a minimum it sounds like we will need to have location and refresh in the denylist.

Thanks for testing this Joe, much appreciated! I agree we should add refresh to the list. I thought I had evaluated the response headers, but missed that one. I debated adding Content-Location to the list, but I don't think that's necessary based on my understanding of that header.

@legrego legrego changed the title Forbid setting the Location custom response header Forbid setting the Location and Refresh custom response headers Apr 23, 2021
@kibanamachine
Copy link
Copy Markdown
Contributor

kibanamachine commented Apr 23, 2021

💚 Build Succeeded

Metrics [docs]

✅ unchanged

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@legrego legrego added the auto-backport Deprecated - use backport:version if exact versions are needed label Apr 23, 2021
@legrego legrego merged commit ff9eb3b into elastic:master Apr 23, 2021
@legrego legrego deleted the chore/forbid-location-response-header branch April 23, 2021 19:00
@kibanamachine kibanamachine mentioned this pull request Apr 23, 2021
Merged
kibanamachine pushed a commit to kibanamachine/kibana that referenced this pull request Apr 23, 2021
@legrego @kibanamachine
Forbid setting the Location and Refresh custom response headers (elas…
d5fc8c4 
…tic#98129)
kibanamachine pushed a commit to kibanamachine/kibana that referenced this pull request Apr 23, 2021
@legrego @kibanamachine
Forbid setting the Location and Refresh custom response headers (elas…
23aa7d5 
…tic#98129)
@kibanamachine kibanamachine mentioned this pull request Apr 23, 2021
Merged
@kibanamachine
Copy link
Copy Markdown
Contributor

kibanamachine commented Apr 23, 2021

💔 Backport failed

Status Branch Result
7.12 Commit could not be cherrypicked due to conflicts
7.13
7.x

Successful backport PRs will be merged automatically after passing CI.

To backport manually run:
node scripts/backport --pr 98129

@legrego legrego mentioned this pull request Apr 23, 2021
Merged
legrego added a commit to legrego/kibana that referenced this pull request Apr 23, 2021
@legrego
Forbid setting the Location and Refresh custom response headers (elas…
d8a28c8 
…tic#98129)

# Conflicts:
#	src/core/server/http/http_config.ts
@legrego
Copy link
Copy Markdown
Member Author

legrego commented Apr 23, 2021

Manual backport to 7.12.2: #98206

kibanamachine added a commit that referenced this pull request Apr 23, 2021
@kibanamachine @legrego
Forbid setting the Location and Refresh custom response headers (#98129
e62363f 
…) (#98205)

Co-authored-by: Larry Gregory <larry.gregory@elastic.co>
legrego added a commit that referenced this pull request Apr 23, 2021
@legrego
Forbid setting the Location and Refresh custom response headers (#98129
b468ed7 
…) (#98206)

# Conflicts:
#	src/core/server/http/http_config.ts
kibanamachine added a commit that referenced this pull request Apr 23, 2021
@kibanamachine @legrego
Forbid setting the Location and Refresh custom response headers (#98129
ff5fceb 
…) (#98204)

Co-authored-by: Larry Gregory <larry.gregory@elastic.co>
@legrego legrego added the Team:Security Platform Security: Auth, Users, Roles, Spaces, Audit Logging, etc t// label Apr 30, 2021
@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Apr 30, 2021

Pinging @elastic/kibana-security (Team:Security)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pgayvallet pgayvallet pgayvallet approved these changes

+1 more reviewer

@jportner jportner jportner approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

auto-backport Deprecated - use backport:version if exact versions are needed chore release_note:fix Team:Security Platform Security: Auth, Users, Roles, Spaces, Audit Logging, etc t// v7.12.2 v7.13.0 v7.14.0 v8.0.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@legrego @jportner @kibanamachine @elasticmachine @pgayvallet