You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficcontrol.apache.org by GitBox <gi...@apache.org> on 2021/03/19 15:32:58 UTC

[GitHub] [trafficcontrol] rob05c opened a new issue #5658: Add Traffic Ops Delivery Service Name FQDN Validation

rob05c opened a new issue #5658:
URL: https://github.com/apache/trafficcontrol/issues/5658


   ## I'm submitting a ...
   -  improvement request (usability, performance, tech debt, etc.)
   
   ## Traffic Control components affected ...
   -  Traffic Ops
   
   ## Current behavior:
   
   Traffic Ops validates that Delivery Service names (xmlId) don't contain spaces or periods:
   
   https://github.com/apache/trafficcontrol/blob/6959ec/traffic_ops/traffic_ops_golang/deliveryservice/deliveryservices.go#L1328
   
   But it doesn't verify it's a valid FQDN component. 
   
   Traffic Portal does, but Traffic Ops doesn't.
   
   There is specifically an interest in prohibiting underscores, which we use in Header Rewrite files, e.g. `hdr_rw_mid_foo.config`. As-is, if an untrusted person were allowed to make Delivery Services, they could create a Delivery Service named "mid_foo" in order to attack and manipulate a different Delivery Service. This isn't a huge issue today, without Self Service, but it will be if and when we ever get there. Adding the validation now prevents the future security issue.
   
   ## New behavior:
   
   Traffic Ops is changed to validate Delivery Service names to only contain alphanumeric and hyphen characters.
   
   ## Minimal reproduction of the problem with instructions:
   POST a new Delivery Service to Traffic Ops with underscores in the xmlID
   
   ## Anything else:


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [trafficcontrol] rob05c commented on issue #5658: Add Traffic Ops Delivery Service Name FQDN Validation

Posted by GitBox <gi...@apache.org>.
rob05c commented on issue #5658:
URL: https://github.com/apache/trafficcontrol/issues/5658#issuecomment-805875099


   It looks like #3312 is a subset of this. I'd vote we close that in favor of this.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [trafficcontrol] ocket8888 commented on issue #5658: Add Traffic Ops Delivery Service Name FQDN Validation

Posted by GitBox <gi...@apache.org>.
ocket8888 commented on issue #5658:
URL: https://github.com/apache/trafficcontrol/issues/5658#issuecomment-802962019


   Is this a duplicate of #3312? I know the title there is specifically about underscores, but it was the issue attached to the PR that added the validation to TP.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [trafficcontrol] ocket8888 commented on issue #5658: Add Traffic Ops Delivery Service Name FQDN Validation

Posted by GitBox <gi...@apache.org>.
ocket8888 commented on issue #5658:
URL: https://github.com/apache/trafficcontrol/issues/5658#issuecomment-806949543


   That's fine too


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [trafficcontrol] rawlinp commented on issue #5658: Add Traffic Ops Delivery Service Name FQDN Validation

Posted by GitBox <gi...@apache.org>.
rawlinp commented on issue #5658:
URL: https://github.com/apache/trafficcontrol/issues/5658#issuecomment-802934646


   Since the xmlID is only used to create the `HOST_REGEXP` w/ order = 0, which actually determines the delivery FQDN, we should also validate the `HOST_REGEXP` similarly. But since that is a regex, I don't know if we can really limit it to alphanumeric and hyphen characters.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org