The path currently only needs to start with some specific words. Apart from that it is arbitrary. This could be tightened to only support words / characters that are actually used by the Kubernetes API. For example we can supply two double percent encoded dots:
/api/%252e%252e/some_other_path
The request method currently can be TRACE (which is not used at all by the Kubernetes API) and OPTIONS and HEAD (which is only used when the path contains proxy)
The request can currently contain additional entries for e.g. the forwarded and x-forwarded-for header. These are then merged into the outgoing request and could obfuscate the true origin of the request
Expected result
Malicious request should be rejected with 400 response code
Description
Add validation for the following cases:
Expected result Malicious request should be rejected with 400 response code