From c0fe5774d55e107aae1b8e0f74e92196608308f7 Mon Sep 17 00:00:00 2001
From: Pim van Nierop <pim@thehyve.nl>
Date: Wed, 29 May 2024 14:25:59 +0200
Subject: [PATCH] Add path rewrite to radar_gateway

Nginx decodes the uri before passing it to the backend server. This is dangerous because it can allow for XSS attacks. Grizzly servers have a bug where they send the decoded uri as part of error messages (see https://github.com/Graylog2/graylog2-server/issues/3171). To prevent this, we need to re-encode the uri ($request_uri is the original encoded request) before passing it to the Grizzly server.
---
 charts/radar-gateway/Chart.yaml  | 2 +-
 charts/radar-gateway/README.md   | 2 +-
 charts/radar-gateway/values.yaml | 2 ++
 3 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/charts/radar-gateway/Chart.yaml b/charts/radar-gateway/Chart.yaml
index 219bf208..bf259008 100644
--- a/charts/radar-gateway/Chart.yaml
+++ b/charts/radar-gateway/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 appVersion: "0.7.1"
 description: A Helm chart for RADAR-base gateway. REST Gateway to Kafka, for incoming participant data. It performs authentication, authorization, content validation and decompression. For more details of the configurations, see https://github.com/RADAR-base/RADAR-Gateway/blob/master/gateway.yml.
 name: radar-gateway
-version: 1.1.3
+version: 1.1.4
 icon: "http://radar-base.org/wp-content/uploads/2022/09/Logo_RADAR-Base-RGB.png"
 sources:
 - https://github.com/RADAR-base/radar-helm-charts/tree/main/charts/radar-gateway
diff --git a/charts/radar-gateway/README.md b/charts/radar-gateway/README.md
index ae4ec14b..73d7836d 100644
--- a/charts/radar-gateway/README.md
+++ b/charts/radar-gateway/README.md
@@ -3,7 +3,7 @@
 # radar-gateway
 [![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/radar-gateway)](https://artifacthub.io/packages/helm/radar-base/radar-gateway)
 
-![Version: 1.1.3](https://img.shields.io/badge/Version-1.1.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.7.1](https://img.shields.io/badge/AppVersion-0.7.1-informational?style=flat-square)
+![Version: 1.1.4](https://img.shields.io/badge/Version-1.1.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.7.1](https://img.shields.io/badge/AppVersion-0.7.1-informational?style=flat-square)
 
 A Helm chart for RADAR-base gateway. REST Gateway to Kafka, for incoming participant data. It performs authentication, authorization, content validation and decompression. For more details of the configurations, see https://github.com/RADAR-base/RADAR-Gateway/blob/master/gateway.yml.
 
diff --git a/charts/radar-gateway/values.yaml b/charts/radar-gateway/values.yaml
index aec108f3..ce5be25d 100644
--- a/charts/radar-gateway/values.yaml
+++ b/charts/radar-gateway/values.yaml
@@ -55,6 +55,8 @@ ingress:
     nginx.ingress.kubernetes.io/proxy-buffering: "off"
     nginx.ingress.kubernetes.io/proxy-http-version: "1.1"
     nginx.ingress.kubernetes.io/proxy-request-buffering: "off"
+    # Prevents XSS attacks on Grizzly (see https://github.com/Graylog2/graylog2-server/issues/3171)
+    nginx.ingress.kubernetes.io/configuration-snippet: rewrite ^ $request_uri;
   # -- Path within the url structure
   path: "/kafka/?(.*)"
   # -- Ingress Path type