Skip to content

Backport of fix path cleaning of proxied urls into release/1.21.x #22810

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: release/1.21.x
Choose a base branch
from
Open

Backport of fix path cleaning of proxied urls into release/1.21.x #22810

wants to merge 1 commit into from

Conversation

hc-github-team-consul-core
Copy link
Collaborator

Backport

This PR is auto-generated from #22671 to be assessed for backporting due to the inclusion of the label backport/1.21.

The below text is copied from the body of the original PR.

Description

This pull request addresses a security issue in the UIMetricsProxy handler by improving how proxied URL paths are cleaned and validated to prevent path traversal attacks. The main focus is on ensuring that user-supplied paths cannot escape the intended base URL, even in edge cases.

Security improvements to URL path handling:

  • Paths are now cleaned using path.Clean with a leading slash to ensure that any ../ segments are properly removed, preventing path traversal attacks. (agent/ui_endpoint.go)
  • The previous redundant cleaning of the parsed URL path after construction has been removed, as the cleaning is now handled earlier and more securely. (agent/ui_endpoint.go)

Base URL validation enhancements:

  • The check for whether the target URL is within the base URL now ensures the base URL has a trailing slash for proper prefix matching, and allows an exact match of the base URL without the trailing slash. This prevents attackers from escaping the base path by manipulating the URL. (agent/ui_endpoint.go)

Testing & Reproduction steps

Links

PR Checklist

  • updated test coverage
  • external facing docs updated
  • appropriate backport labels added
  • not a security concern

PCI review checklist

  • I have documented a clear reason for, and description of, the change I am making.

  • If applicable, I've documented a plan to revert these changes if they require more than reverting the pull request.

  • If applicable, I've documented the impact of any changes to security controls.

    Examples of changes to security controls include using new access control methods, adding or removing logging pipelines, etc.

Overview of commits

@hc-github-team-consul-core hc-github-team-consul-core requested a review from a team as a code owner September 22, 2025 12:14
github-team-consul-core-pr-approver
github-team-consul-core-pr-approver approved these changes Sep 22, 2025
View reviewed changes
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Auto approved Consul Bot automated PR

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-team-consul-core-pr-approver github-team-consul-core-pr-approver github-team-consul-core-pr-approver approved these changes

@sanikachavan5 sanikachavan5 Awaiting requested review from sanikachavan5

At least 1 approving review is required to merge this pull request.

Assignees

@sanikachavan5 sanikachavan5

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@hc-github-team-consul-core @github-team-consul-core-pr-approver @sanikachavan5