feat(ingester): restrict /flush and /shutdown endpoints to POST only#7674
Open
Goutham-Annem wants to merge 1 commit into
Open
feat(ingester): restrict /flush and /shutdown endpoints to POST only#7674Goutham-Annem wants to merge 1 commit into
Goutham-Annem wants to merge 1 commit into
Conversation
The /ingester/flush, /ingester/shutdown, /flush, and /shutdown endpoints previously accepted GET requests, making it possible to accidentally trigger a destructive ingester operation by clicking a link in a browser or by a pre-fetch proxy following links on the index page. Changes: - Route registration for flush/shutdown changed from ["GET","POST"] to ["POST"]. A browser GET (or curl without -X POST) now returns 405 Method Not Allowed. - Index page template updated to render links in the "Dangerous:" section as HTML <form method="POST"> submit buttons rather than plain <a href> anchors, preventing browser-initiated GET requests while keeping the UI functional. - tools/migrate-ingester-statefulsets.sh updated to use `wget --post-data=""` (BusyBox wget supports this flag) so the script continues to work after the GET handler is removed. - Two tests added/extended to assert the POST-form rendering for dangerous links. Fixes cortexproject#3243 Signed-off-by: Goutham Annem <gouthemannem@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this PR does:
The
/ingester/flush,/ingester/shutdown,/flush, and/shutdownendpoints previously acceptedGETrequests, making it possible to accidentally trigger a destructive ingester operation by clicking a link in a browser or via a pre-fetch proxy following the index page's links.This PR makes three coordinated changes:
Route restriction (
pkg/api/api.go): The four flush/shutdownRegisterRoutecalls now only list"POST". A browserGET(orcurlwithout-X POST) returns405 Method Not Allowed.Index page template (
pkg/api/handlers.go): Links in theDangerous:section now render as<form method="POST"><button>elements instead of<a href>anchors. This ensures that clicking in the browser issues aPOST, not aGET. Non-dangerous links continue to render as plain anchors. A template functionIsDangerous(section string) booldrives the branching.Migration script (
tools/migrate-ingester-statefulsets.sh): The BusyBoxwgetinvocation insidekubectl execis updated towget --post-data="" -T 5 .... BusyBox wget supports--post-data, so the script continues to work without requiringcurlinside the Cortex container image (which is unavailable per the original issue discussion).Which issue(s) this PR fixes:
Fixes #3243
Checklist
TestIndexPageContentextended with assertions that dangerous links producemethod="POST"forms and no<a href>; newTestIndexHandlerDangerousLinksUsePostFormscovers prefix behaviour for dangerous linksCHANGELOG.mdupdated