Skip to content

fix(response-rewrite): do not empty body when base64 secret is invalid #13586

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
AlinsRan wants to merge 1 commit into
base: master
Choose a base branch
from
+65 −4
Open

fix(response-rewrite): do not empty body when base64 secret is invalid #13586

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 13 additions & 4 deletions apisix/plugins/response-rewrite.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -294,12 +294,21 @@ function _M.body_filter(conf, ctx)
end

if conf.body then
ngx.arg[2] = true
local body = conf.body
if conf.body_base64 then
ngx.arg[1] = ngx.decode_base64(conf.body)
else
ngx.arg[1] = conf.body
body = ngx.decode_base64(conf.body)
if not body then
-- conf.body may be a resolved secret reference whose value is
-- not valid base64; the config-time check is skipped for secret
-- references, so guard here instead of silently emptying the body.
core.log.error("response-rewrite: body is configured with ",
"body_base64 = true but its value is not valid ",
"base64; leaving the response body unchanged")
return
end
end
ngx.arg[2] = true
ngx.arg[1] = body
end
end

Expand Down
52 changes: 52 additions & 0 deletions t/secret/central-secret-refs.t
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ BEGIN {
$ENV{TEST_HOST} = "test.example.com";
$ENV{TEST_URI} = "/hello";
$ENV{TEST_HEADER_VALUE} = "from-env";
$ENV{TEST_NOT_BASE64} = "@@@ not valid base64 @@@";
}

use t::APISIX 'no_plan';
Expand Down Expand Up @@ -374,3 +375,54 @@ openid-connect has required field client_secret that must be a string.
}
--- response_body
success



=== TEST 13: response-rewrite body_base64 with a secret-ref resolving to non-base64
The config-time base64 check is skipped for secret references, so this only
fails at runtime; the response body must be left unchanged rather than emptied.
--- config
location /t {
content_by_lua_block {
local t = require("lib.test_admin").test
local code, body = t('/apisix/admin/routes/1',
ngx.HTTP_PUT,
[[{
"uri": "/rr-b64-secret",
"plugins": {
"proxy-rewrite": {
"uri": "/hello"
},
"response-rewrite": {
"body": "$env://TEST_NOT_BASE64",
"body_base64": true
}
},
"upstream": {
"type": "roundrobin",
"nodes": {
"127.0.0.1:1980": 1
}
}
}]]
)

if code >= 300 then
ngx.status = code
return ngx.say(body)
end
ngx.say("success")
}
}
--- response_body
success



=== TEST 14: invalid base64 secret leaves the upstream body unchanged and logs an error
--- request
GET /rr-b64-secret
--- response_body
hello world
--- error_log
its value is not valid base64
Loading