-
Notifications
You must be signed in to change notification settings - Fork 8.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
custom-error-pages: Add an ability to disable "/metrics", "/healthz" and "/debug/vars" endpoints #9152
Comments
@rikatz seems like one reason to focus on this, like you had suggested. Will do as per your advise |
/triage accepted |
FYI I've just had this bug raised from a OpenBugBounty. None of the things exposed are overly sensitive here, but this does leave an operator unexpectedly exposed to any CVE related to these endpoints. They are exposed publicly and reachable from the internet as soon as someone uses the custom-error-pages container. |
Defaults should definitely prevent these from being reachable by the internet. Scrapeable by internal services by default, sure - but never exposed to the internet by default. |
Hi @strongjz, |
You can use my fork https://github.com/Hexcles/nginx-errors
…---
Sent from my cellphone.
On Thu, Feb 9, 2023, 02:37 ucinskij ***@***.***> wrote:
Hi @strongjz <https://github.com/strongjz>,
I don't intend to put any pressure here but perhaps you know when we could
expect this to be done? Unfortunately internal security scans within the
company reqiure an action on this from our side, the security team simply
complains too much about this.
—
Reply to this email directly, view it on GitHub
<#9152 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAK6ZDC2ZML7BVB4WTOOPNLWWSNDJANCNFSM6AAAAAAREBT76I>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
@ucinskij We are trying to find the best tool/practice to make sure things are getting addressed. Currently we are using the project board here to track our work and what needs to be worked on next or who is asking for feature/PR review. https://github.com/orgs/kubernetes/projects/104 All new issues get added to the board but I have not added older ones. I will add this one to the board. Another good way to keep this in our attention is to join the community meetings as well. We discuss issues, prs and open items like this to prioritize. right now we have several CVE's we are trying to remediate and get updates out for ingress-nginx, then we can look to implementing features like this. If you are interested in taking the time and implementing it, we can discuss that 1x1. Thank you, |
Any update on this ? |
I would like to work on this issue if that's OK |
The custom-error-pages backend does it job pretty well, however during a security scan it was detected that it exposes three endpoints:
/metrics
/healthz
/debug/vars
/metrics
and/healthz
are implemented byingress-nginx/images/custom-error-pages/rootfs/main.go
Line 78 in 499dbf5
/debug/vars
at a first sight seems to be coming withgithub.com/prometheus/client_golang
which includesexpvar
: https://pkg.go.dev/expvarEspecially the first and last ones expose information that might be considered as 'sensitive' by some organizations. Hence why I would like to ask for a feature toggle that would allow to disable those endpoints. It is to be considered if those should be exposed by default or not.
The text was updated successfully, but these errors were encountered: