CVE-2022-34296: Release v0.13.218 · zalando/skipper

Changes

fix: Query predicate could be bypassed by prepared request, config is enabled by default and you can disable with -validate-query=false or (#2028)

Thanks to Daniel Abeles and Gal Goldshtein from https://oxeye.io

POC

% ./bin/skipper -inline-routes '
r1: QueryParam("foo") -> inlineContent("foo") -> <shunt>; 
r2: * -> inlineContent("OK") -> <shunt>'

% curl "localhost:9090/r?foo=bar;" 
OK

Fix as docker or binary user

Update to >=v0.13.218

To opt-out the fix: -validate-query=false

Fix as skipper library user

diff --git main.go main.go index 66b2da6…002455d 100644 — main.go +++ main.go @@ -5,6 +5,7 @@ import ( “flag” “fmt”

•   "net/http"
    "net/url"
    "os"
    "path"
  

@@ -21,6 +22,7 @@ import ( “github.com/zalando/skipper/filters/accesslog” “github.com/zalando/skipper/filters/auth” “github.com/zalando/skipper/filters/cors”

•   "github.com/zalando/skipper/net"
    "github.com/zalando/skipper/proxy"
    "github.com/zalando/skipper/routing"
  
  
    options := skipper.Options{
  

•           CustomHttpHandlerWrap: func(handler http.Handler) http.Handler {
  

•                   return &net.ValidateQueryHandler{Handler: handler}
  

•           },
  

Docker image

Docker image is available in Zalando’s Open Source registry:

docker run -it registry.opensource.zalan.do/teapot/skipper:v0.13.218 skipper --help
# arm64
docker run -it registry.opensource.zalan.do/teapot/skipper-arm64:v0.13.218 skipper --help
# arm v7 32bit
docker run -it registry.opensource.zalan.do/teapot/skipper-armv7:v0.13.218 skipper --help