search

cloudfoundry / cloud_controller_ng

Cloud Foundry Cloud Controller
Apache License 2.0
187 stars 356 forks source link

Do not allow ASGs with leading zeros #3829

Closed jrussett closed 1 month ago

jrussett commented 1 month ago

A short explanation of the proposed change:

This change adds validation logic to prevent the creation of ASGs with leading zeros in addresses. e.g.

The motivation for this change in behavior is to prevent malformed IPs from making their way into the CC database to begin with. We only want to accept valid addresses in ASG destinations going forward.

An explanation of the use cases your change solves

Cloud controller blindly stores the ASG destinations in the database and then passes the value off to downstream clients. Not all downstream clients have the same IP parsing functionality that ruby does, therefore jobs like vxlan-policy-agent in silk can stop working when a destination with leading zeros is bound via cf bind-security-group; when these problems happen, they tend to also take down the diego cell too by preventing routing to all running containers.

Links to any other associated PRs, etc...

Checkboxes

ameowlia commented 1 month ago

Adding acceptance steps here

  1. Save this asg to a file called asg.json 
    [
{
"protocol": "tcp",
"destination": "010.0.0.53",
"ports": "443"
},
{
"protocol": "tcp",
"destination": "10.000.0.53",
"ports": "443"
},
{
"protocol": "tcp",
"destination": "10.0.000.53",
"ports": "443"
},
{
"protocol": "tcp",
"destination": "10.0.0.053",
"ports": "443"
},
{
"protocol": "tcp",
"destination": "010.000.000.053",
"ports": "443"
}
]
  2. Run cf create-security-group asg asg.json
  3. See the following failure. 
    Rules[0]: destination octets cannot contain leading zeros, Rules[1]: destination octets cannot contain leading zeros, Rules[2]: destination octets cannot contain leading zeros, Rules[3]: destination octets cannot contain leading zeros, Rules[4]: destination octets cannot contain leading zeros
FAILED