Merge pull request #2344 from aledbf/xss-base-tag

Escape variables in add-base-url annotation

internal/ingress/controller/template/template.go

@@ -418,25 +418,29 @@ func buildProxyPass(host string, b interface{}, loc interface{}, dynamicConfigur
 	}
 
 	if len(location.Rewrite.Target) > 0 {
-		abu := ""
+		var abu string
+		var xForwardedPrefix string
+
 		if location.Rewrite.AddBaseURL {
 			// path has a slash suffix, so that it can be connected with baseuri directly
-			bPath := fmt.Sprintf("%s%s", path, "$baseuri")
+			bPath := fmt.Sprintf("%s$escaped_base_uri", path)
 			regex := `(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)`
+			scheme := "$scheme"
+
 			if len(location.Rewrite.BaseURLScheme) > 0 {
-				abu = fmt.Sprintf(`subs_filter '%v' '$1<base href="%v://$http_host%v">' ro;
-	    `, regex, location.Rewrite.BaseURLScheme, bPath)
-			} else {
-				abu = fmt.Sprintf(`subs_filter '%v' '$1<base href="$scheme://$http_host%v">' ro;
-	    `, regex, bPath)
-			}
+				scheme = location.Rewrite.BaseURLScheme
 			}
 
-		xForwardedPrefix := ""
-		if location.XForwardedPrefix {
-			xForwardedPrefix = fmt.Sprintf(`proxy_set_header X-Forwarded-Prefix "%s";
-	    `, path)
+			abu = fmt.Sprintf(`
+set_escape_uri $escaped_base_uri $baseuri;
+subs_filter '%v' '$1<base href="%v://$http_host%v">' ro;
+`, regex, scheme, bPath)
 		}
+
+		if location.XForwardedPrefix {
+			xForwardedPrefix = fmt.Sprintf("proxy_set_header X-Forwarded-Prefix \"%s\";\n", path)
+		}
+
 		if location.Rewrite.Target == slash {
 			// special case redirect to /
 			// ie /something to /

internal/ingress/controller/template/template_test.go

@@ -181,7 +181,9 @@ var (
 			`
 rewrite /(.*) /jenkins/$1 break;
 proxy_pass http://upstream-name;
-	    subs_filter '(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)' '$1<base href="$scheme://$http_host/$baseuri">' ro;
+
+set_escape_uri $escaped_base_uri $baseuri;
+subs_filter '(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)' '$1<base href="$scheme://$http_host/$escaped_base_uri">' ro;
 `,
 			true,
 			"",
@@ -197,7 +199,9 @@ var (
 rewrite /something/(.*) /$1 break;
 rewrite /something / break;
 proxy_pass http://upstream-name;
-	    subs_filter '(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)' '$1<base href="$scheme://$http_host/something/$baseuri">' ro;
+
+set_escape_uri $escaped_base_uri $baseuri;
+subs_filter '(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)' '$1<base href="$scheme://$http_host/something/$escaped_base_uri">' ro;
 `,
 			true,
 			"",
@@ -212,7 +216,9 @@ var (
 			`
 rewrite /end-with-slash/(.*) /not-root/$1 break;
 proxy_pass http://upstream-name;
-	    subs_filter '(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)' '$1<base href="$scheme://$http_host/end-with-slash/$baseuri">' ro;
+
+set_escape_uri $escaped_base_uri $baseuri;
+subs_filter '(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)' '$1<base href="$scheme://$http_host/end-with-slash/$escaped_base_uri">' ro;
 `,
 			true,
 			"",
@@ -227,7 +233,9 @@ var (
 			`
 rewrite /something-complex/(.*) /not-root/$1 break;
 proxy_pass http://upstream-name;
-	    subs_filter '(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)' '$1<base href="$scheme://$http_host/something-complex/$baseuri">' ro;
+
+set_escape_uri $escaped_base_uri $baseuri;
+subs_filter '(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)' '$1<base href="$scheme://$http_host/something-complex/$escaped_base_uri">' ro;
 `,
 			true,
 			"",
@@ -243,7 +251,9 @@ var (
 rewrite /something/(.*) /$1 break;
 rewrite /something / break;
 proxy_pass http://upstream-name;
-	    subs_filter '(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)' '$1<base href="http://$http_host/something/$baseuri">' ro;
+
+set_escape_uri $escaped_base_uri $baseuri;
+subs_filter '(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)' '$1<base href="http://$http_host/something/$escaped_base_uri">' ro;
 `,
 			true,
 			"http",