test: add an e2e test to reproduce https://nvd.nist.gov/vuln/detail/CVE-2021-28235

Signed-off-by: Benjamin Wang <wachao@vmware.com>
2024-09-27 06:25:44 +00:00 · 2023-04-06 21:57:23 +09:00 · 2023-04-06 21:57:23 +09:00 · 1f746597ea
commit 1f746597ea
parent 78a898a903
3 changed files with 61 additions and 0 deletions
--- a/tests/e2e/cluster_test.go
+++ b/tests/e2e/cluster_test.go
@ -131,6 +131,8 @@ type etcdProcessClusterConfig struct {

 	MaxConcurrentStreams       uint32 // default is math.MaxUint32
 	WatchProcessNotifyInterval time.Duration
+
+	debug bool
 }

 // newEtcdProcessCluster launches a new cluster from etcd processes, returning
@ -272,6 +274,10 @@ func (cfg *etcdProcessClusterConfig) etcdServerProcessConfigs() []*etcdServerPro
 			args = append(args, "--experimental-watch-progress-notify-interval", cfg.WatchProcessNotifyInterval.String())
 		}

+		if cfg.debug {
+			args = append(args, "--debug")
+		}
+
 		etcdCfgs[i] = &etcdServerProcessConfig{
 			execPath:      cfg.execPath,
 			args:          args,
--- a/tests/e2e/ctl_v3_auth_security_test.go
+++ b/tests/e2e/ctl_v3_auth_security_test.go
@ -0,0 +1,49 @@
+// Copyright 2023 The etcd Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//go:build !cluster_proxy
+
+package e2e
+
+import (
+	"github.com/stretchr/testify/require"
+	"testing"
+)
+
+// TestAuth_CVE_2021_28235 verifies https://nvd.nist.gov/vuln/detail/CVE-2021-28235
+func TestAuth_CVE_2021_28235(t *testing.T) {
+	testCtl(t, authTest_CVE_2021_28235, withCfg(configNoTLS), withDebug(true))
+}
+
+func authTest_CVE_2021_28235(cx ctlCtx) {
+	// create root user with root role
+	rootPass := "changeme123"
+	err := ctlV3User(cx, []string{"add", "root", "--interactive=false"}, "User root created", []string{rootPass})
+	require.NoError(cx.t, err)
+	err = ctlV3User(cx, []string{"grant-role", "root", "root"}, "Role root is granted to user root", nil)
+	require.NoError(cx.t, err)
+	err = ctlV3AuthEnable(cx)
+	require.NoError(cx.t, err)
+
+	// issue a put request
+	cx.user, cx.pass = "root", rootPass
+	err = ctlV3Put(cx, "foo", "bar", "")
+	require.NoError(cx.t, err)
+
+	// GET /debug/requests
+	httpEndpoint := cx.epc.procs[0].EndpointsHTTP()[0]
+	req := cURLReq{endpoint: "/debug/requests?fam=grpc.Recv.Auth&b=0&exp=1", timeout: 5}
+	err = curl(httpEndpoint, "GET", req, clientNonTLS, rootPass)
+	require.Error(cx.t, err)
+}
--- a/tests/e2e/ctl_v3_test.go
+++ b/tests/e2e/ctl_v3_test.go
@ -143,6 +143,12 @@ func withMaxConcurrentStreams(streams uint32) ctlOption {
 	}
 }

+func withDebug(debug bool) ctlOption {
+	return func(cx *ctlCtx) {
+		cx.cfg.debug = debug
+	}
+}
+
 func getDefaultCtlCtx(t *testing.T) ctlCtx {
 	return ctlCtx{
 		t:           t,