From 34ec61fc69dd067e5fdbf27fc62232d8e6373f10 Mon Sep 17 00:00:00 2001 From: Eguzki Astiz Lezaun Date: Tue, 31 Oct 2023 17:00:35 +0100 Subject: [PATCH] enable lua_check_client_abort Makes HTTP2 reset streams to be accounted and handled by apicast. Ref CVE-2023-44487 --- gateway/conf.d/apicast.conf | 2 ++ .../src/apicast/policy/apicast/apicast.lua | 22 ++++++++++++++++++- 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/gateway/conf.d/apicast.conf b/gateway/conf.d/apicast.conf index ba8d48794..e8a0aa845 100644 --- a/gateway/conf.d/apicast.conf +++ b/gateway/conf.d/apicast.conf @@ -3,6 +3,8 @@ set_by_lua_block $deployment { return require('apicast.user_agent').deployment() } +lua_check_client_abort on; + # TODO: enable in the future when we support SSL # ssl_certificate_by_lua_block { require('apicast.executor').call() } # ssl_session_fetch_by_lua_block { require('apicast.executor').call() } diff --git a/gateway/src/apicast/policy/apicast/apicast.lua b/gateway/src/apicast/policy/apicast/apicast.lua index 0662e5a1d..47b1607f3 100644 --- a/gateway/src/apicast/policy/apicast/apicast.lua +++ b/gateway/src/apicast/policy/apicast/apicast.lua @@ -30,11 +30,17 @@ end function _M.cleanup() -- now abort all the "light threads" running in the current request handler + ngx.log(ngx.INFO, "client closed the (downstream) connection prematurely.") ngx.exit(499) end function _M:rewrite(context) - ngx.on_abort(self.cleanup) + ngx.log(ngx.INFO, "registering on abort") + local ok, err = ngx.on_abort(self.cleanup) + if not ok then + ngx.log(ngx.ERR, "failed to register the on_abort callback: ", err) + ngx.exit(500) + end -- load configuration if not configured -- that is useful when lua_code_cache is off @@ -87,6 +93,13 @@ function _M:post_action(context) end function _M:access(context) + ngx.log(ngx.INFO, "registering on abort") + local ok, err = ngx.on_abort(self.cleanup) + if not ok then + ngx.log(ngx.ERR, "failed to register the on_abort callback: ", err) + ngx.exit(500) + end + if context.skip_apicast_access then return end -- Flag to run post_action() only when access() was executed. @@ -108,6 +121,13 @@ function _M:access(context) end function _M:content(context) + ngx.log(ngx.INFO, "registering on abort") + local ok, err = ngx.on_abort(self.cleanup) + if not ok then + ngx.log(ngx.ERR, "failed to register the on_abort callback: ", err) + ngx.exit(500) + end + if not context[self].upstream then ngx.log(ngx.WARN, "Upstream server not found for this request") return errors.upstream_not_found(context.service)