diff --git a/CHANGES.md b/CHANGES.md index 3dbd8749..146703e6 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -1,3 +1,7 @@ +## 2022.9.0 +### New Features +- cloudflared now rejects ingress rules with invalid http status codes for http_status. + ## 2022.8.1 ### New Features - cloudflared now remembers if it connected to a certain protocol successfully. If it did, it does not fall back to a lower diff --git a/ingress/ingress.go b/ingress/ingress.go index 05a90a8b..b15eced3 100644 --- a/ingress/ingress.go +++ b/ingress/ingress.go @@ -182,11 +182,14 @@ func validateIngress(ingress []config.UnvalidatedIngressRule, defaults OriginReq path := strings.TrimPrefix(r.Service, prefix) service = &unixSocketPath{path: path, scheme: "https"} } else if prefix := "http_status:"; strings.HasPrefix(r.Service, prefix) { - status, err := strconv.Atoi(strings.TrimPrefix(r.Service, prefix)) + statusCode, err := strconv.Atoi(strings.TrimPrefix(r.Service, prefix)) if err != nil { - return Ingress{}, errors.Wrap(err, "invalid HTTP status") + return Ingress{}, errors.Wrap(err, "invalid HTTP status code") } - srv := newStatusCode(status) + if statusCode < 100 || statusCode > 999 { + return Ingress{}, fmt.Errorf("invalid HTTP status code: %d", statusCode) + } + srv := newStatusCode(statusCode) service = &srv } else if r.Service == HelloWorldService || r.Service == "hello-world" || r.Service == "helloworld" { service = new(helloWorld) diff --git a/ingress/ingress_test.go b/ingress/ingress_test.go index 1ff5e11c..2f1c2850 100644 --- a/ingress/ingress_test.go +++ b/ingress/ingress_test.go @@ -208,6 +208,14 @@ ingress: args: args{rawYAML: ` ingress: - service: http_status:asdf +`}, + wantErr: true, + }, + { + name: "Invalid HTTP status code", + args: args{rawYAML: ` +ingress: + - service: http_status:8080 `}, wantErr: true, },