mirror of
https://github.com/cloudflare/cloudflared.git
synced 2026-06-22 20:00:16 +00:00
TUN-10513: Disable /debug/pprof/cmdline endpoint
Check / check (1.22.x, macos-latest) (push) Has been cancelled
Check / check (1.22.x, ubuntu-latest) (push) Has been cancelled
Check / check (1.22.x, windows-latest) (push) Has been cancelled
Semgrep config / semgrep/ci (push) Has been cancelled
Check / check (1.22.x, macos-latest) (push) Has been cancelled
Check / check (1.22.x, ubuntu-latest) (push) Has been cancelled
Check / check (1.22.x, windows-latest) (push) Has been cancelled
Semgrep config / semgrep/ci (push) Has been cancelled
This commit is contained in:
João "Pisco" Fernandes
+6
-1
@@ -5,7 +5,7 @@ import (
|
||||
"fmt"
|
||||
"net"
|
||||
"net/http"
|
||||
_ "net/http/pprof"
|
||||
_ "net/http/pprof" //nolint:gosec // G108: the sensitive /debug/pprof/cmdline endpoint is explicitly blocked in newMetricsHandler
|
||||
"runtime"
|
||||
"sync"
|
||||
"time"
|
||||
@@ -70,6 +70,11 @@ func newMetricsHandler(
|
||||
log *zerolog.Logger,
|
||||
) *http.ServeMux {
|
||||
router := http.NewServeMux()
|
||||
// Block /debug/pprof/cmdline to prevent leaking secret command-line arguments
|
||||
// (e.g. tunnel tokens) that are exposed via os.Args.
|
||||
router.HandleFunc("/debug/pprof/cmdline", func(w http.ResponseWriter, r *http.Request) {
|
||||
http.Error(w, "forbidden", http.StatusForbidden)
|
||||
})
|
||||
router.Handle("/debug/", http.DefaultServeMux)
|
||||
router.Handle("/metrics", promhttp.Handler())
|
||||
router.HandleFunc("/healthcheck", func(w http.ResponseWriter, r *http.Request) {
|
||||
|
||||
@@ -0,0 +1,48 @@
|
||||
package metrics
|
||||
|
||||
import (
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"testing"
|
||||
|
||||
"github.com/google/uuid"
|
||||
"github.com/rs/zerolog"
|
||||
"github.com/stretchr/testify/assert"
|
||||
|
||||
"github.com/cloudflare/cloudflared/diagnostic"
|
||||
)
|
||||
|
||||
func testHandler(t *testing.T) *http.ServeMux {
|
||||
t.Helper()
|
||||
|
||||
log := zerolog.Nop()
|
||||
return newMetricsHandler(Config{
|
||||
DiagnosticHandler: diagnostic.NewDiagnosticHandler(
|
||||
&log, 0, nil, uuid.Nil, uuid.Nil, nil, map[string]string{}, nil,
|
||||
),
|
||||
}, &log)
|
||||
}
|
||||
|
||||
func TestPprofCmdlineEndpointIsBlocked(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
handler := testHandler(t)
|
||||
req := httptest.NewRequest(http.MethodGet, "/debug/pprof/cmdline", nil)
|
||||
w := httptest.NewRecorder()
|
||||
handler.ServeHTTP(w, req)
|
||||
|
||||
assert.Equal(t, http.StatusForbidden, w.Code)
|
||||
}
|
||||
|
||||
func TestOtherPprofEndpointsStillWork(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
handler := testHandler(t)
|
||||
|
||||
// /debug/pprof/ index should still be served by DefaultServeMux
|
||||
req := httptest.NewRequest(http.MethodGet, "/debug/pprof/", nil)
|
||||
w := httptest.NewRecorder()
|
||||
handler.ServeHTTP(w, req)
|
||||
|
||||
assert.Equal(t, http.StatusOK, w.Code)
|
||||
}
|
||||
Reference in New Issue
Block a user