Backport server: Don't follow redirects when checking peer urls.

It's possible that etcd server may run into SSRF situation when adding a new member. If users provide a malicious peer URL, the existing etcd members may be redirected to other unexpected internal URL when getting the new member's version. Signed-off-by: James Blair <mail@jamesblair.net>
2024-09-27 06:25:44 +00:00 · 2023-11-27 21:48:50 +13:00 · 2023-11-27 21:48:50 +13:00 · 9e21048c4b
commit 9e21048c4b
parent 0e64a6d40e
1 changed files with 3 additions and 0 deletions
--- a/server/etcdserver/cluster_util.go
+++ b/server/etcdserver/cluster_util.go
@ -275,6 +275,9 @@ func isCompatibleWithVers(lg *zap.Logger, vers map[string]*version.Versions, loc
 func getVersion(lg *zap.Logger, m *membership.Member, rt http.RoundTripper) (*version.Versions, error) {
 	cc := &http.Client{
 		Transport: rt,
+		CheckRedirect: func(req *http.Request, via []*http.Request) error {
+			return http.ErrUseLastResponse
+		},
 	}
 	var (
 		err  error