Don't follow redirects when checking peer urls.

It's possible that etcd server may run into SSRF situation when adding a new member. If users provide a malicious peer URL, the existing etcd members may be redirected to other unexpected internal URL when getting the new member's version. Signed-off-by: James Blair <mail@jamesblair.net>
2024-09-27 06:25:44 +00:00 · 2023-11-21 10:25:20 +13:00 · 2023-11-21 10:25:20 +13:00 · 3b37afec7b
commit 3b37afec7b
parent a9cf27b169
1 changed files with 3 additions and 0 deletions
--- a/server/etcdserver/cluster_util.go
+++ b/server/etcdserver/cluster_util.go
@ -240,6 +240,9 @@ func getVersion(lg *zap.Logger, m *membership.Member, rt http.RoundTripper, time
 	cc := &http.Client{
 		Transport: rt,
 		Timeout:   timeout,
+		CheckRedirect: func(req *http.Request, via []*http.Request) error {
+			return http.ErrUseLastResponse
+		},
 	}
 	var (
 		err  error