Skip to content

Commit

Permalink
Handle Consul API URL protocol mismatch (#10082)
Browse files Browse the repository at this point in the history
  • Loading branch information
davemay99 authored and schmichael committed May 14, 2021
1 parent 05a3d94 commit 35a68fe
Show file tree
Hide file tree
Showing 3 changed files with 36 additions and 8 deletions.
5 changes: 5 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,11 @@
SECURITY:
* drivers/docker+exec+java: Disable `CAP_NET_RAW` linux capability by default to prevent ARP spoofing. CVE-2021-32575 [[GH-10568](https://github.com/hashicorp/nomad/issues/10568)](https://github.com/hashicorp/nomad/issues/10568)

BUG FIXES:
* api: Added missing devices block to AllocatedTaskResources [[GH-10064](https://github.com/hashicorp/nomad/pull/10064)]
* cli: Fixed a bug where non-int proxy port would panic CLI [[GH-10072](https://github.com/hashicorp/nomad/issues/10072)]
* cli: Fixed a bug where `nomad operator debug` incorrectly parsed https Consul API URLs. [[GH-10082](https://github.com/hashicorp/nomad/pull/10082)]

## 1.0.4 (February 24, 2021)

FEATURES:
Expand Down
7 changes: 6 additions & 1 deletion command/operator_debug.go
Original file line number Diff line number Diff line change
Expand Up @@ -1064,6 +1064,10 @@ func (e *external) addr(defaultAddr string) string {
if strings.HasPrefix(e.addrVal, "http:") {
return e.addrVal
}
if strings.HasPrefix(e.addrVal, "https:") {
// Mismatch: e.ssl=false but addrVal is https
return strings.ReplaceAll(e.addrVal, "https://", "http://")
}
return "http://" + e.addrVal
}

Expand All @@ -1072,7 +1076,8 @@ func (e *external) addr(defaultAddr string) string {
}

if strings.HasPrefix(e.addrVal, "http:") {
return "https:" + e.addrVal[5:]
// Mismatch: e.ssl=true but addrVal is http
return strings.ReplaceAll(e.addrVal, "http://", "https://")
}

return "https://" + e.addrVal
Expand Down
32 changes: 25 additions & 7 deletions command/operator_debug_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -433,17 +433,35 @@ func TestDebug_Utils(t *testing.T) {
require.Empty(t, xs)

// address calculation honors CONSUL_HTTP_SSL
e := &external{addrVal: "http://127.0.0.1:8500", ssl: true}
require.Equal(t, "https://127.0.0.1:8500", e.addr("foo"))
// ssl: true - Correct alignment
e := &external{addrVal: "https://127.0.0.1:8500", ssl: true}
addr := e.addr("foo")
require.Equal(t, "https://127.0.0.1:8500", addr)

// ssl: true - protocol incorrect
e = &external{addrVal: "http://127.0.0.1:8500", ssl: true}
addr = e.addr("foo")
require.Equal(t, "https://127.0.0.1:8500", addr)

// ssl: true - protocol missing
e = &external{addrVal: "127.0.0.1:8500", ssl: true}
addr = e.addr("foo")
require.Equal(t, "https://127.0.0.1:8500", addr)

// ssl: false - correct alignment
e = &external{addrVal: "http://127.0.0.1:8500", ssl: false}
require.Equal(t, "http://127.0.0.1:8500", e.addr("foo"))
addr = e.addr("foo")
require.Equal(t, "http://127.0.0.1:8500", addr)

e = &external{addrVal: "127.0.0.1:8500", ssl: false}
require.Equal(t, "http://127.0.0.1:8500", e.addr("foo"))
// ssl: false - protocol incorrect
e = &external{addrVal: "https://127.0.0.1:8500", ssl: false}
addr = e.addr("foo")
require.Equal(t, "http://127.0.0.1:8500", addr)

e = &external{addrVal: "127.0.0.1:8500", ssl: true}
require.Equal(t, "https://127.0.0.1:8500", e.addr("foo"))
// ssl: false - protocol missing
e = &external{addrVal: "127.0.0.1:8500", ssl: false}
addr = e.addr("foo")
require.Equal(t, "http://127.0.0.1:8500", addr)
}

func TestDebug_WriteBytes_Nil(t *testing.T) {
Expand Down

0 comments on commit 35a68fe

Please sign in to comment.