luxolus
/
open-consul
2
0
Fork 0
Code Issues 1 Pull Requests Packages Releases Wiki Activity

Add config option to disable HTTP printable char path check

This commit is contained in:
Paul Banks 2018-07-25 15:52:37 +01:00
parent b3771e2e6c
commit d6c16dd0ad
No known key found for this signature in database
GPG Key ID: C25A851A849B8221
7 changed files with 216 additions and 171 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
agent/config/builder.go
View File

@ -690,6 +690,7 @@ func (b *Builder) Build() (rt RuntimeConfig, err error) {
DisableAnonymousSignature: b.boolVal(c.DisableAnonymousSignature), DisableAnonymousSignature: b.boolVal(c.DisableAnonymousSignature),
DisableCoordinates: b.boolVal(c.DisableCoordinates), DisableCoordinates: b.boolVal(c.DisableCoordinates),
DisableHostNodeID: b.boolVal(c.DisableHostNodeID), DisableHostNodeID: b.boolVal(c.DisableHostNodeID),
DisableHTTPUnprintableCharFilter: b.boolVal(c.DisableHTTPUnprintableCharFilter),
DisableKeyringFile: b.boolVal(c.DisableKeyringFile), DisableKeyringFile: b.boolVal(c.DisableKeyringFile),
DisableRemoteExec: b.boolVal(c.DisableRemoteExec), DisableRemoteExec: b.boolVal(c.DisableRemoteExec),
DisableUpdateCheck: b.boolVal(c.DisableUpdateCheck), DisableUpdateCheck: b.boolVal(c.DisableUpdateCheck),

201
agent/config/config.go
View File

@ -136,106 +136,107 @@ func Parse(data string, format string) (c Config, err error) {
// configuration it should be treated as an external API which cannot be // configuration it should be treated as an external API which cannot be
// changed and refactored at will since this will break existing setups. // changed and refactored at will since this will break existing setups.
type Config struct { type Config struct {
ACLAgentMasterToken *string `json:"acl_agent_master_token,omitempty" hcl:"acl_agent_master_token" mapstructure:"acl_agent_master_token"` ACLAgentMasterToken *string `json:"acl_agent_master_token,omitempty" hcl:"acl_agent_master_token" mapstructure:"acl_agent_master_token"`
ACLAgentToken *string `json:"acl_agent_token,omitempty" hcl:"acl_agent_token" mapstructure:"acl_agent_token"` ACLAgentToken *string `json:"acl_agent_token,omitempty" hcl:"acl_agent_token" mapstructure:"acl_agent_token"`
ACLDatacenter *string `json:"acl_datacenter,omitempty" hcl:"acl_datacenter" mapstructure:"acl_datacenter"` ACLDatacenter *string `json:"acl_datacenter,omitempty" hcl:"acl_datacenter" mapstructure:"acl_datacenter"`
ACLDefaultPolicy *string `json:"acl_default_policy,omitempty" hcl:"acl_default_policy" mapstructure:"acl_default_policy"` ACLDefaultPolicy *string `json:"acl_default_policy,omitempty" hcl:"acl_default_policy" mapstructure:"acl_default_policy"`
ACLDownPolicy *string `json:"acl_down_policy,omitempty" hcl:"acl_down_policy" mapstructure:"acl_down_policy"` ACLDownPolicy *string `json:"acl_down_policy,omitempty" hcl:"acl_down_policy" mapstructure:"acl_down_policy"`
ACLEnableKeyListPolicy *bool `json:"acl_enable_key_list_policy,omitempty" hcl:"acl_enable_key_list_policy" mapstructure:"acl_enable_key_list_policy"` ACLEnableKeyListPolicy *bool `json:"acl_enable_key_list_policy,omitempty" hcl:"acl_enable_key_list_policy" mapstructure:"acl_enable_key_list_policy"`
ACLEnforceVersion8 *bool `json:"acl_enforce_version_8,omitempty" hcl:"acl_enforce_version_8" mapstructure:"acl_enforce_version_8"` ACLEnforceVersion8 *bool `json:"acl_enforce_version_8,omitempty" hcl:"acl_enforce_version_8" mapstructure:"acl_enforce_version_8"`
ACLMasterToken *string `json:"acl_master_token,omitempty" hcl:"acl_master_token" mapstructure:"acl_master_token"` ACLMasterToken *string `json:"acl_master_token,omitempty" hcl:"acl_master_token" mapstructure:"acl_master_token"`
ACLReplicationToken *string `json:"acl_replication_token,omitempty" hcl:"acl_replication_token" mapstructure:"acl_replication_token"` ACLReplicationToken *string `json:"acl_replication_token,omitempty" hcl:"acl_replication_token" mapstructure:"acl_replication_token"`
ACLTTL *string `json:"acl_ttl,omitempty" hcl:"acl_ttl" mapstructure:"acl_ttl"` ACLTTL *string `json:"acl_ttl,omitempty" hcl:"acl_ttl" mapstructure:"acl_ttl"`
ACLToken *string `json:"acl_token,omitempty" hcl:"acl_token" mapstructure:"acl_token"` ACLToken *string `json:"acl_token,omitempty" hcl:"acl_token" mapstructure:"acl_token"`
Addresses Addresses `json:"addresses,omitempty" hcl:"addresses" mapstructure:"addresses"` Addresses Addresses `json:"addresses,omitempty" hcl:"addresses" mapstructure:"addresses"`
AdvertiseAddrLAN *string `json:"advertise_addr,omitempty" hcl:"advertise_addr" mapstructure:"advertise_addr"` AdvertiseAddrLAN *string `json:"advertise_addr,omitempty" hcl:"advertise_addr" mapstructure:"advertise_addr"`
AdvertiseAddrWAN *string `json:"advertise_addr_wan,omitempty" hcl:"advertise_addr_wan" mapstructure:"advertise_addr_wan"` AdvertiseAddrWAN *string `json:"advertise_addr_wan,omitempty" hcl:"advertise_addr_wan" mapstructure:"advertise_addr_wan"`
Autopilot Autopilot `json:"autopilot,omitempty" hcl:"autopilot" mapstructure:"autopilot"` Autopilot Autopilot `json:"autopilot,omitempty" hcl:"autopilot" mapstructure:"autopilot"`
BindAddr *string `json:"bind_addr,omitempty" hcl:"bind_addr" mapstructure:"bind_addr"` BindAddr *string `json:"bind_addr,omitempty" hcl:"bind_addr" mapstructure:"bind_addr"`
Bootstrap *bool `json:"bootstrap,omitempty" hcl:"bootstrap" mapstructure:"bootstrap"` Bootstrap *bool `json:"bootstrap,omitempty" hcl:"bootstrap" mapstructure:"bootstrap"`
BootstrapExpect *int `json:"bootstrap_expect,omitempty" hcl:"bootstrap_expect" mapstructure:"bootstrap_expect"` BootstrapExpect *int `json:"bootstrap_expect,omitempty" hcl:"bootstrap_expect" mapstructure:"bootstrap_expect"`
CAFile *string `json:"ca_file,omitempty" hcl:"ca_file" mapstructure:"ca_file"` CAFile *string `json:"ca_file,omitempty" hcl:"ca_file" mapstructure:"ca_file"`
CAPath *string `json:"ca_path,omitempty" hcl:"ca_path" mapstructure:"ca_path"` CAPath *string `json:"ca_path,omitempty" hcl:"ca_path" mapstructure:"ca_path"`
CertFile *string `json:"cert_file,omitempty" hcl:"cert_file" mapstructure:"cert_file"` CertFile *string `json:"cert_file,omitempty" hcl:"cert_file" mapstructure:"cert_file"`
Check *CheckDefinition `json:"check,omitempty" hcl:"check" mapstructure:"check"` // needs to be a pointer to avoid partial merges Check *CheckDefinition `json:"check,omitempty" hcl:"check" mapstructure:"check"` // needs to be a pointer to avoid partial merges
CheckUpdateInterval *string `json:"check_update_interval,omitempty" hcl:"check_update_interval" mapstructure:"check_update_interval"` CheckUpdateInterval *string `json:"check_update_interval,omitempty" hcl:"check_update_interval" mapstructure:"check_update_interval"`
Checks []CheckDefinition `json:"checks,omitempty" hcl:"checks" mapstructure:"checks"` Checks []CheckDefinition `json:"checks,omitempty" hcl:"checks" mapstructure:"checks"`
ClientAddr *string `json:"client_addr,omitempty" hcl:"client_addr" mapstructure:"client_addr"` ClientAddr *string `json:"client_addr,omitempty" hcl:"client_addr" mapstructure:"client_addr"`
Connect Connect `json:"connect,omitempty" hcl:"connect" mapstructure:"connect"` Connect Connect `json:"connect,omitempty" hcl:"connect" mapstructure:"connect"`
DNS DNS `json:"dns_config,omitempty" hcl:"dns_config" mapstructure:"dns_config"` DNS DNS `json:"dns_config,omitempty" hcl:"dns_config" mapstructure:"dns_config"`
DNSDomain *string `json:"domain,omitempty" hcl:"domain" mapstructure:"domain"` DNSDomain *string `json:"domain,omitempty" hcl:"domain" mapstructure:"domain"`
DNSRecursors []string `json:"recursors,omitempty" hcl:"recursors" mapstructure:"recursors"` DNSRecursors []string `json:"recursors,omitempty" hcl:"recursors" mapstructure:"recursors"`
DataDir *string `json:"data_dir,omitempty" hcl:"data_dir" mapstructure:"data_dir"` DataDir *string `json:"data_dir,omitempty" hcl:"data_dir" mapstructure:"data_dir"`
Datacenter *string `json:"datacenter,omitempty" hcl:"datacenter" mapstructure:"datacenter"` Datacenter *string `json:"datacenter,omitempty" hcl:"datacenter" mapstructure:"datacenter"`
DisableAnonymousSignature *bool `json:"disable_anonymous_signature,omitempty" hcl:"disable_anonymous_signature" mapstructure:"disable_anonymous_signature"` DisableAnonymousSignature *bool `json:"disable_anonymous_signature,omitempty" hcl:"disable_anonymous_signature" mapstructure:"disable_anonymous_signature"`
DisableCoordinates *bool `json:"disable_coordinates,omitempty" hcl:"disable_coordinates" mapstructure:"disable_coordinates"` DisableCoordinates *bool `json:"disable_coordinates,omitempty" hcl:"disable_coordinates" mapstructure:"disable_coordinates"`
DisableHostNodeID *bool `json:"disable_host_node_id,omitempty" hcl:"disable_host_node_id" mapstructure:"disable_host_node_id"` DisableHostNodeID *bool `json:"disable_host_node_id,omitempty" hcl:"disable_host_node_id" mapstructure:"disable_host_node_id"`
DisableKeyringFile *bool `json:"disable_keyring_file,omitempty" hcl:"disable_keyring_file" mapstructure:"disable_keyring_file"` DisableHTTPUnprintableCharFilter *bool `json:"disable_http_unprintable_char_filter,omitempty" hcl:"disable_http_unprintable_char_filter" mapstructure:"disable_http_unprintable_char_filter"`
DisableRemoteExec *bool `json:"disable_remote_exec,omitempty" hcl:"disable_remote_exec" mapstructure:"disable_remote_exec"` DisableKeyringFile *bool `json:"disable_keyring_file,omitempty" hcl:"disable_keyring_file" mapstructure:"disable_keyring_file"`
DisableUpdateCheck *bool `json:"disable_update_check,omitempty" hcl:"disable_update_check" mapstructure:"disable_update_check"` DisableRemoteExec *bool `json:"disable_remote_exec,omitempty" hcl:"disable_remote_exec" mapstructure:"disable_remote_exec"`
DiscardCheckOutput *bool `json:"discard_check_output" hcl:"discard_check_output" mapstructure:"discard_check_output"` DisableUpdateCheck *bool `json:"disable_update_check,omitempty" hcl:"disable_update_check" mapstructure:"disable_update_check"`
DiscoveryMaxStale *string `json:"discovery_max_stale" hcl:"discovery_max_stale" mapstructure:"discovery_max_stale"` DiscardCheckOutput *bool `json:"discard_check_output" hcl:"discard_check_output" mapstructure:"discard_check_output"`
EnableACLReplication *bool `json:"enable_acl_replication,omitempty" hcl:"enable_acl_replication" mapstructure:"enable_acl_replication"` DiscoveryMaxStale *string `json:"discovery_max_stale" hcl:"discovery_max_stale" mapstructure:"discovery_max_stale"`
EnableAgentTLSForChecks *bool `json:"enable_agent_tls_for_checks,omitempty" hcl:"enable_agent_tls_for_checks" mapstructure:"enable_agent_tls_for_checks"` EnableACLReplication *bool `json:"enable_acl_replication,omitempty" hcl:"enable_acl_replication" mapstructure:"enable_acl_replication"`
EnableDebug *bool `json:"enable_debug,omitempty" hcl:"enable_debug" mapstructure:"enable_debug"` EnableAgentTLSForChecks *bool `json:"enable_agent_tls_for_checks,omitempty" hcl:"enable_agent_tls_for_checks" mapstructure:"enable_agent_tls_for_checks"`
EnableScriptChecks *bool `json:"enable_script_checks,omitempty" hcl:"enable_script_checks" mapstructure:"enable_script_checks"` EnableDebug *bool `json:"enable_debug,omitempty" hcl:"enable_debug" mapstructure:"enable_debug"`
EnableSyslog *bool `json:"enable_syslog,omitempty" hcl:"enable_syslog" mapstructure:"enable_syslog"` EnableScriptChecks *bool `json:"enable_script_checks,omitempty" hcl:"enable_script_checks" mapstructure:"enable_script_checks"`
EncryptKey *string `json:"encrypt,omitempty" hcl:"encrypt" mapstructure:"encrypt"` EnableSyslog *bool `json:"enable_syslog,omitempty" hcl:"enable_syslog" mapstructure:"enable_syslog"`
EncryptVerifyIncoming *bool `json:"encrypt_verify_incoming,omitempty" hcl:"encrypt_verify_incoming" mapstructure:"encrypt_verify_incoming"` EncryptKey *string `json:"encrypt,omitempty" hcl:"encrypt" mapstructure:"encrypt"`
EncryptVerifyOutgoing *bool `json:"encrypt_verify_outgoing,omitempty" hcl:"encrypt_verify_outgoing" mapstructure:"encrypt_verify_outgoing"` EncryptVerifyIncoming *bool `json:"encrypt_verify_incoming,omitempty" hcl:"encrypt_verify_incoming" mapstructure:"encrypt_verify_incoming"`
HTTPConfig HTTPConfig `json:"http_config,omitempty" hcl:"http_config" mapstructure:"http_config"` EncryptVerifyOutgoing *bool `json:"encrypt_verify_outgoing,omitempty" hcl:"encrypt_verify_outgoing" mapstructure:"encrypt_verify_outgoing"`
KeyFile *string `json:"key_file,omitempty" hcl:"key_file" mapstructure:"key_file"` HTTPConfig HTTPConfig `json:"http_config,omitempty" hcl:"http_config" mapstructure:"http_config"`
LeaveOnTerm *bool `json:"leave_on_terminate,omitempty" hcl:"leave_on_terminate" mapstructure:"leave_on_terminate"` KeyFile *string `json:"key_file,omitempty" hcl:"key_file" mapstructure:"key_file"`
Limits Limits `json:"limits,omitempty" hcl:"limits" mapstructure:"limits"` LeaveOnTerm *bool `json:"leave_on_terminate,omitempty" hcl:"leave_on_terminate" mapstructure:"leave_on_terminate"`
LogLevel *string `json:"log_level,omitempty" hcl:"log_level" mapstructure:"log_level"` Limits Limits `json:"limits,omitempty" hcl:"limits" mapstructure:"limits"`
NodeID *string `json:"node_id,omitempty" hcl:"node_id" mapstructure:"node_id"` LogLevel *string `json:"log_level,omitempty" hcl:"log_level" mapstructure:"log_level"`
NodeMeta map[string]string `json:"node_meta,omitempty" hcl:"node_meta" mapstructure:"node_meta"` NodeID *string `json:"node_id,omitempty" hcl:"node_id" mapstructure:"node_id"`
NodeName *string `json:"node_name,omitempty" hcl:"node_name" mapstructure:"node_name"` NodeMeta map[string]string `json:"node_meta,omitempty" hcl:"node_meta" mapstructure:"node_meta"`
NonVotingServer *bool `json:"non_voting_server,omitempty" hcl:"non_voting_server" mapstructure:"non_voting_server"` NodeName *string `json:"node_name,omitempty" hcl:"node_name" mapstructure:"node_name"`
Performance Performance `json:"performance,omitempty" hcl:"performance" mapstructure:"performance"` NonVotingServer *bool `json:"non_voting_server,omitempty" hcl:"non_voting_server" mapstructure:"non_voting_server"`
PidFile *string `json:"pid_file,omitempty" hcl:"pid_file" mapstructure:"pid_file"` Performance Performance `json:"performance,omitempty" hcl:"performance" mapstructure:"performance"`
Ports Ports `json:"ports,omitempty" hcl:"ports" mapstructure:"ports"` PidFile *string `json:"pid_file,omitempty" hcl:"pid_file" mapstructure:"pid_file"`
RPCProtocol *int `json:"protocol,omitempty" hcl:"protocol" mapstructure:"protocol"` Ports Ports `json:"ports,omitempty" hcl:"ports" mapstructure:"ports"`
RaftProtocol *int `json:"raft_protocol,omitempty" hcl:"raft_protocol" mapstructure:"raft_protocol"` RPCProtocol *int `json:"protocol,omitempty" hcl:"protocol" mapstructure:"protocol"`
RaftSnapshotThreshold *int `json:"raft_snapshot_threshold,omitempty" hcl:"raft_snapshot_threshold" mapstructure:"raft_snapshot_threshold"` RaftProtocol *int `json:"raft_protocol,omitempty" hcl:"raft_protocol" mapstructure:"raft_protocol"`
RaftSnapshotInterval *string `json:"raft_snapshot_interval,omitempty" hcl:"raft_snapshot_interval" mapstructure:"raft_snapshot_interval"` RaftSnapshotThreshold *int `json:"raft_snapshot_threshold,omitempty" hcl:"raft_snapshot_threshold" mapstructure:"raft_snapshot_threshold"`
ReconnectTimeoutLAN *string `json:"reconnect_timeout,omitempty" hcl:"reconnect_timeout" mapstructure:"reconnect_timeout"` RaftSnapshotInterval *string `json:"raft_snapshot_interval,omitempty" hcl:"raft_snapshot_interval" mapstructure:"raft_snapshot_interval"`
ReconnectTimeoutWAN *string `json:"reconnect_timeout_wan,omitempty" hcl:"reconnect_timeout_wan" mapstructure:"reconnect_timeout_wan"` ReconnectTimeoutLAN *string `json:"reconnect_timeout,omitempty" hcl:"reconnect_timeout" mapstructure:"reconnect_timeout"`
RejoinAfterLeave *bool `json:"rejoin_after_leave,omitempty" hcl:"rejoin_after_leave" mapstructure:"rejoin_after_leave"` ReconnectTimeoutWAN *string `json:"reconnect_timeout_wan,omitempty" hcl:"reconnect_timeout_wan" mapstructure:"reconnect_timeout_wan"`
RetryJoinIntervalLAN *string `json:"retry_interval,omitempty" hcl:"retry_interval" mapstructure:"retry_interval"` RejoinAfterLeave *bool `json:"rejoin_after_leave,omitempty" hcl:"rejoin_after_leave" mapstructure:"rejoin_after_leave"`
RetryJoinIntervalWAN *string `json:"retry_interval_wan,omitempty" hcl:"retry_interval_wan" mapstructure:"retry_interval_wan"` RetryJoinIntervalLAN *string `json:"retry_interval,omitempty" hcl:"retry_interval" mapstructure:"retry_interval"`
RetryJoinLAN []string `json:"retry_join,omitempty" hcl:"retry_join" mapstructure:"retry_join"` RetryJoinIntervalWAN *string `json:"retry_interval_wan,omitempty" hcl:"retry_interval_wan" mapstructure:"retry_interval_wan"`
RetryJoinMaxAttemptsLAN *int `json:"retry_max,omitempty" hcl:"retry_max" mapstructure:"retry_max"` RetryJoinLAN []string `json:"retry_join,omitempty" hcl:"retry_join" mapstructure:"retry_join"`
RetryJoinMaxAttemptsWAN *int `json:"retry_max_wan,omitempty" hcl:"retry_max_wan" mapstructure:"retry_max_wan"` RetryJoinMaxAttemptsLAN *int `json:"retry_max,omitempty" hcl:"retry_max" mapstructure:"retry_max"`
RetryJoinWAN []string `json:"retry_join_wan,omitempty" hcl:"retry_join_wan" mapstructure:"retry_join_wan"` RetryJoinMaxAttemptsWAN *int `json:"retry_max_wan,omitempty" hcl:"retry_max_wan" mapstructure:"retry_max_wan"`
SegmentName *string `json:"segment,omitempty" hcl:"segment" mapstructure:"segment"` RetryJoinWAN []string `json:"retry_join_wan,omitempty" hcl:"retry_join_wan" mapstructure:"retry_join_wan"`
Segments []Segment `json:"segments,omitempty" hcl:"segments" mapstructure:"segments"` SegmentName *string `json:"segment,omitempty" hcl:"segment" mapstructure:"segment"`
SerfBindAddrLAN *string `json:"serf_lan,omitempty" hcl:"serf_lan" mapstructure:"serf_lan"` Segments []Segment `json:"segments,omitempty" hcl:"segments" mapstructure:"segments"`
SerfBindAddrWAN *string `json:"serf_wan,omitempty" hcl:"serf_wan" mapstructure:"serf_wan"` SerfBindAddrLAN *string `json:"serf_lan,omitempty" hcl:"serf_lan" mapstructure:"serf_lan"`
ServerMode *bool `json:"server,omitempty" hcl:"server" mapstructure:"server"` SerfBindAddrWAN *string `json:"serf_wan,omitempty" hcl:"serf_wan" mapstructure:"serf_wan"`
ServerName *string `json:"server_name,omitempty" hcl:"server_name" mapstructure:"server_name"` ServerMode *bool `json:"server,omitempty" hcl:"server" mapstructure:"server"`
Service *ServiceDefinition `json:"service,omitempty" hcl:"service" mapstructure:"service"` ServerName *string `json:"server_name,omitempty" hcl:"server_name" mapstructure:"server_name"`
Services []ServiceDefinition `json:"services,omitempty" hcl:"services" mapstructure:"services"` Service *ServiceDefinition `json:"service,omitempty" hcl:"service" mapstructure:"service"`
SessionTTLMin *string `json:"session_ttl_min,omitempty" hcl:"session_ttl_min" mapstructure:"session_ttl_min"` Services []ServiceDefinition `json:"services,omitempty" hcl:"services" mapstructure:"services"`
SkipLeaveOnInt *bool `json:"skip_leave_on_interrupt,omitempty" hcl:"skip_leave_on_interrupt" mapstructure:"skip_leave_on_interrupt"` SessionTTLMin *string `json:"session_ttl_min,omitempty" hcl:"session_ttl_min" mapstructure:"session_ttl_min"`
StartJoinAddrsLAN []string `json:"start_join,omitempty" hcl:"start_join" mapstructure:"start_join"` SkipLeaveOnInt *bool `json:"skip_leave_on_interrupt,omitempty" hcl:"skip_leave_on_interrupt" mapstructure:"skip_leave_on_interrupt"`
StartJoinAddrsWAN []string `json:"start_join_wan,omitempty" hcl:"start_join_wan" mapstructure:"start_join_wan"` StartJoinAddrsLAN []string `json:"start_join,omitempty" hcl:"start_join" mapstructure:"start_join"`
SyslogFacility *string `json:"syslog_facility,omitempty" hcl:"syslog_facility" mapstructure:"syslog_facility"` StartJoinAddrsWAN []string `json:"start_join_wan,omitempty" hcl:"start_join_wan" mapstructure:"start_join_wan"`
TLSCipherSuites *string `json:"tls_cipher_suites,omitempty" hcl:"tls_cipher_suites" mapstructure:"tls_cipher_suites"` SyslogFacility *string `json:"syslog_facility,omitempty" hcl:"syslog_facility" mapstructure:"syslog_facility"`
TLSMinVersion *string `json:"tls_min_version,omitempty" hcl:"tls_min_version" mapstructure:"tls_min_version"` TLSCipherSuites *string `json:"tls_cipher_suites,omitempty" hcl:"tls_cipher_suites" mapstructure:"tls_cipher_suites"`
TLSPreferServerCipherSuites *bool `json:"tls_prefer_server_cipher_suites,omitempty" hcl:"tls_prefer_server_cipher_suites" mapstructure:"tls_prefer_server_cipher_suites"` TLSMinVersion *string `json:"tls_min_version,omitempty" hcl:"tls_min_version" mapstructure:"tls_min_version"`
TaggedAddresses map[string]string `json:"tagged_addresses,omitempty" hcl:"tagged_addresses" mapstructure:"tagged_addresses"` TLSPreferServerCipherSuites *bool `json:"tls_prefer_server_cipher_suites,omitempty" hcl:"tls_prefer_server_cipher_suites" mapstructure:"tls_prefer_server_cipher_suites"`
Telemetry Telemetry `json:"telemetry,omitempty" hcl:"telemetry" mapstructure:"telemetry"` TaggedAddresses map[string]string `json:"tagged_addresses,omitempty" hcl:"tagged_addresses" mapstructure:"tagged_addresses"`
TranslateWANAddrs *bool `json:"translate_wan_addrs,omitempty" hcl:"translate_wan_addrs" mapstructure:"translate_wan_addrs"` Telemetry Telemetry `json:"telemetry,omitempty" hcl:"telemetry" mapstructure:"telemetry"`
UI *bool `json:"ui,omitempty" hcl:"ui" mapstructure:"ui"` TranslateWANAddrs *bool `json:"translate_wan_addrs,omitempty" hcl:"translate_wan_addrs" mapstructure:"translate_wan_addrs"`
UIDir *string `json:"ui_dir,omitempty" hcl:"ui_dir" mapstructure:"ui_dir"` UI *bool `json:"ui,omitempty" hcl:"ui" mapstructure:"ui"`
UnixSocket UnixSocket `json:"unix_sockets,omitempty" hcl:"unix_sockets" mapstructure:"unix_sockets"` UIDir *string `json:"ui_dir,omitempty" hcl:"ui_dir" mapstructure:"ui_dir"`
VerifyIncoming *bool `json:"verify_incoming,omitempty" hcl:"verify_incoming" mapstructure:"verify_incoming"` UnixSocket UnixSocket `json:"unix_sockets,omitempty" hcl:"unix_sockets" mapstructure:"unix_sockets"`
VerifyIncomingHTTPS *bool `json:"verify_incoming_https,omitempty" hcl:"verify_incoming_https" mapstructure:"verify_incoming_https"` VerifyIncoming *bool `json:"verify_incoming,omitempty" hcl:"verify_incoming" mapstructure:"verify_incoming"`
VerifyIncomingRPC *bool `json:"verify_incoming_rpc,omitempty" hcl:"verify_incoming_rpc" mapstructure:"verify_incoming_rpc"` VerifyIncomingHTTPS *bool `json:"verify_incoming_https,omitempty" hcl:"verify_incoming_https" mapstructure:"verify_incoming_https"`
VerifyOutgoing *bool `json:"verify_outgoing,omitempty" hcl:"verify_outgoing" mapstructure:"verify_outgoing"` VerifyIncomingRPC *bool `json:"verify_incoming_rpc,omitempty" hcl:"verify_incoming_rpc" mapstructure:"verify_incoming_rpc"`
VerifyServerHostname *bool `json:"verify_server_hostname,omitempty" hcl:"verify_server_hostname" mapstructure:"verify_server_hostname"` VerifyOutgoing *bool `json:"verify_outgoing,omitempty" hcl:"verify_outgoing" mapstructure:"verify_outgoing"`
Watches []map[string]interface{} `json:"watches,omitempty" hcl:"watches" mapstructure:"watches"` VerifyServerHostname *bool `json:"verify_server_hostname,omitempty" hcl:"verify_server_hostname" mapstructure:"verify_server_hostname"`
Watches []map[string]interface{} `json:"watches,omitempty" hcl:"watches" mapstructure:"watches"`
// This isn't used by Consul but we've documented a feature where users // This isn't used by Consul but we've documented a feature where users
// can deploy their snapshot agent configs alongside their Consul configs // can deploy their snapshot agent configs alongside their Consul configs

10
agent/config/runtime.go
View File

@ -564,6 +564,16 @@ type RuntimeConfig struct {
// flag: -disable-host-node-id // flag: -disable-host-node-id
DisableHostNodeID bool DisableHostNodeID bool
// DisableHTTPUnprintableCharFilter will bypass the filter preventing HTTP
// URLs from containing unprintable chars. This filter was added in 1.0.3 as a
// response to a vulnerability report. Disabling this is never recommended in
// general however some users who have keys written in older versions of
// Consul may use this to temporarily disable the filter such that they can
// delete those keys again! We do not recommend leaving it disabled long term.
//
// hcl: disable_http_unprintable_char_filter
DisableHTTPUnprintableCharFilter bool
// DisableKeyringFile disables writing the keyring to a file. // DisableKeyringFile disables writing the keyring to a file.
// //
// hcl: disable_keyring_file = (true|false) // hcl: disable_keyring_file = (true|false)

142
agent/config/runtime_test.go
View File

@ -2621,6 +2621,7 @@ func TestFullConfig(t *testing.T) {
"disable_anonymous_signature": true, "disable_anonymous_signature": true,
"disable_coordinates": true, "disable_coordinates": true,
"disable_host_node_id": true, "disable_host_node_id": true,
"disable_http_unprintable_char_filter": true,
"disable_keyring_file": true, "disable_keyring_file": true,
"disable_remote_exec": true, "disable_remote_exec": true,
"disable_update_check": true, "disable_update_check": true,
@ -3084,6 +3085,7 @@ func TestFullConfig(t *testing.T) {
disable_anonymous_signature = true disable_anonymous_signature = true
disable_coordinates = true disable_coordinates = true
disable_host_node_id = true disable_host_node_id = true
disable_http_unprintable_char_filter = true
disable_keyring_file = true disable_keyring_file = true
disable_remote_exec = true disable_remote_exec = true
disable_update_check = true disable_update_check = true
@ -3678,75 +3680,76 @@ func TestFullConfig(t *testing.T) {
"connect_timeout_ms": float64(1000), "connect_timeout_ms": float64(1000),
"pedantic_mode": true, "pedantic_mode": true,
}, },
DNSAddrs: []net.Addr{tcpAddr("93.95.95.81:7001"), udpAddr("93.95.95.81:7001")}, DNSAddrs: []net.Addr{tcpAddr("93.95.95.81:7001"), udpAddr("93.95.95.81:7001")},
DNSARecordLimit: 29907, DNSARecordLimit: 29907,
DNSAllowStale: true, DNSAllowStale: true,
DNSDisableCompression: true, DNSDisableCompression: true,
DNSDomain: "7W1xXSqd", DNSDomain: "7W1xXSqd",
DNSEnableTruncate: true, DNSEnableTruncate: true,
DNSMaxStale: 29685 * time.Second, DNSMaxStale: 29685 * time.Second,
DNSNodeTTL: 7084 * time.Second, DNSNodeTTL: 7084 * time.Second,
DNSOnlyPassing: true, DNSOnlyPassing: true,
DNSPort: 7001, DNSPort: 7001,
DNSRecursorTimeout: 4427 * time.Second, DNSRecursorTimeout: 4427 * time.Second,
DNSRecursors: []string{"63.38.39.58", "92.49.18.18"}, DNSRecursors: []string{"63.38.39.58", "92.49.18.18"},
DNSServiceTTL: map[string]time.Duration{"*": 32030 * time.Second}, DNSServiceTTL: map[string]time.Duration{"*": 32030 * time.Second},
DNSUDPAnswerLimit: 29909, DNSUDPAnswerLimit: 29909,
DNSNodeMetaTXT: true, DNSNodeMetaTXT: true,
DataDir: dataDir, DataDir: dataDir,
Datacenter: "rzo029wg", Datacenter: "rzo029wg",
DevMode: true, DevMode: true,
DisableAnonymousSignature: true, DisableAnonymousSignature: true,
DisableCoordinates: true, DisableCoordinates: true,
DisableHostNodeID: true, DisableHostNodeID: true,
DisableKeyringFile: true, DisableHTTPUnprintableCharFilter: true,
DisableRemoteExec: true, DisableKeyringFile: true,
DisableUpdateCheck: true, DisableRemoteExec: true,
DiscardCheckOutput: true, DisableUpdateCheck: true,
DiscoveryMaxStale: 5 * time.Second, DiscardCheckOutput: true,
EnableACLReplication: true, DiscoveryMaxStale: 5 * time.Second,
EnableAgentTLSForChecks: true, EnableACLReplication: true,
EnableDebug: true, EnableAgentTLSForChecks: true,
EnableScriptChecks: true, EnableDebug: true,
EnableSyslog: true, EnableScriptChecks: true,
EnableUI: true, EnableSyslog: true,
EncryptKey: "A4wELWqH", EnableUI: true,
EncryptVerifyIncoming: true, EncryptKey: "A4wELWqH",
EncryptVerifyOutgoing: true, EncryptVerifyIncoming: true,
HTTPAddrs: []net.Addr{tcpAddr("83.39.91.39:7999")}, EncryptVerifyOutgoing: true,
HTTPBlockEndpoints: []string{"RBvAFcGD", "fWOWFznh"}, HTTPAddrs: []net.Addr{tcpAddr("83.39.91.39:7999")},
HTTPPort: 7999, HTTPBlockEndpoints: []string{"RBvAFcGD", "fWOWFznh"},
HTTPResponseHeaders: map[string]string{"M6TKa9NP": "xjuxjOzQ", "JRCrHZed": "rl0mTx81"}, HTTPPort: 7999,
HTTPSAddrs: []net.Addr{tcpAddr("95.17.17.19:15127")}, HTTPResponseHeaders: map[string]string{"M6TKa9NP": "xjuxjOzQ", "JRCrHZed": "rl0mTx81"},
HTTPSPort: 15127, HTTPSAddrs: []net.Addr{tcpAddr("95.17.17.19:15127")},
KeyFile: "IEkkwgIA", HTTPSPort: 15127,
LeaveDrainTime: 8265 * time.Second, KeyFile: "IEkkwgIA",
LeaveOnTerm: true, LeaveDrainTime: 8265 * time.Second,
LogLevel: "k1zo9Spt", LeaveOnTerm: true,
NodeID: types.NodeID("AsUIlw99"), LogLevel: "k1zo9Spt",
NodeMeta: map[string]string{"5mgGQMBk": "mJLtVMSG", "A7ynFMJB": "0Nx6RGab"}, NodeID: types.NodeID("AsUIlw99"),
NodeName: "otlLxGaI", NodeMeta: map[string]string{"5mgGQMBk": "mJLtVMSG", "A7ynFMJB": "0Nx6RGab"},
NonVotingServer: true, NodeName: "otlLxGaI",
PidFile: "43xN80Km", NonVotingServer: true,
RPCAdvertiseAddr: tcpAddr("17.99.29.16:3757"), PidFile: "43xN80Km",
RPCBindAddr: tcpAddr("16.99.34.17:3757"), RPCAdvertiseAddr: tcpAddr("17.99.29.16:3757"),
RPCHoldTimeout: 15707 * time.Second, RPCBindAddr: tcpAddr("16.99.34.17:3757"),
RPCProtocol: 30793, RPCHoldTimeout: 15707 * time.Second,
RPCRateLimit: 12029.43, RPCProtocol: 30793,
RPCMaxBurst: 44848, RPCRateLimit: 12029.43,
RaftProtocol: 19016, RPCMaxBurst: 44848,
RaftSnapshotThreshold: 16384, RaftProtocol: 19016,
RaftSnapshotInterval: 30 * time.Second, RaftSnapshotThreshold: 16384,
ReconnectTimeoutLAN: 23739 * time.Second, RaftSnapshotInterval: 30 * time.Second,
ReconnectTimeoutWAN: 26694 * time.Second, ReconnectTimeoutLAN: 23739 * time.Second,
RejoinAfterLeave: true, ReconnectTimeoutWAN: 26694 * time.Second,
RetryJoinIntervalLAN: 8067 * time.Second, RejoinAfterLeave: true,
RetryJoinIntervalWAN: 28866 * time.Second, RetryJoinIntervalLAN: 8067 * time.Second,
RetryJoinLAN: []string{"pbsSFY7U", "l0qLtWij"}, RetryJoinIntervalWAN: 28866 * time.Second,
RetryJoinMaxAttemptsLAN: 913, RetryJoinLAN: []string{"pbsSFY7U", "l0qLtWij"},
RetryJoinMaxAttemptsWAN: 23160, RetryJoinMaxAttemptsLAN: 913,
RetryJoinWAN: []string{"PFsR02Ye", "rJdQIhER"}, RetryJoinMaxAttemptsWAN: 23160,
SegmentName: "BC2NhTDi", RetryJoinWAN: []string{"PFsR02Ye", "rJdQIhER"},
SegmentName: "BC2NhTDi",
Segments: []structs.NetworkSegment{ Segments: []structs.NetworkSegment{
{ {
Name: "PExYMe2E", Name: "PExYMe2E",
@ -4403,6 +4406,7 @@ func TestSanitize(t *testing.T) {
"DevMode": false, "DevMode": false,
"DisableAnonymousSignature": false, "DisableAnonymousSignature": false,
"DisableCoordinates": false, "DisableCoordinates": false,
"DisableHTTPUnprintableCharFilter": false,
"DisableHostNodeID": false, "DisableHostNodeID": false,
"DisableKeyringFile": false, "DisableKeyringFile": false,
"DisableRemoteExec": false, "DisableRemoteExec": false,

9
agent/http.go
View File

@ -187,10 +187,15 @@ func (s *HTTPServer) handler(enableDebug bool) http.Handler {
} }
// Wrap the whole mux with a handler that bans URLs with non-printable // Wrap the whole mux with a handler that bans URLs with non-printable
// characters. // characters, unless disabled explicitly to deal with old keys that fail this
// check.
h := cleanhttp.PrintablePathCheckHandler(mux, nil)
if s.agent.config.DisableHTTPUnprintableCharFilter {
h = mux
}
return &wrappedMux{ return &wrappedMux{
mux: mux, mux: mux,
handler: cleanhttp.PrintablePathCheckHandler(mux, nil), handler: h,
} }
} }

13
agent/http_test.go
View File

@ -327,6 +327,19 @@ func TestHTTPAPI_Ban_Nonprintable_Characters(t *testing.T) {
} }
} }
func TestHTTPAPI_Allow_Nonprintable_Characters_With_Flag(t *testing.T) {
a := NewTestAgent(t.Name(), "disable_http_unprintable_char_filter = true")
defer a.Shutdown()
req, _ := http.NewRequest("GET", "/v1/kv/bad\x00ness", nil)
resp := httptest.NewRecorder()
a.srv.Handler.ServeHTTP(resp, req)
// Key doesn't actually exist so we should get 404
if got, want := resp.Code, http.StatusNotFound; got != want {
t.Fatalf("bad response code got %d want %d", got, want)
}
}
func TestHTTPAPI_TranslateAddrHeader(t *testing.T) { func TestHTTPAPI_TranslateAddrHeader(t *testing.T) {
t.Parallel() t.Parallel()
// Header should not be present if address translation is off. // Header should not be present if address translation is off.

11
website/source/docs/agent/options.html.md
View File

@ -749,6 +749,17 @@ Consul will not enable TLS for the HTTP API unless the `https` port has been ass
* <a name="disable_host_node_id"></a><a href="#disable_host_node_id">`disable_host_node_id`</a> * <a name="disable_host_node_id"></a><a href="#disable_host_node_id">`disable_host_node_id`</a>
Equivalent to the [`-disable-host-node-id` command-line flag](#_disable_host_node_id). Equivalent to the [`-disable-host-node-id` command-line flag](#_disable_host_node_id).
* <a name="disable_http_unprintable_char_filter"></a><a href="#disable_http_unprintable_char_filter">`disable_http_unprintable_char_filter`</a>
Defaults to false. Consul 1.0.3 fixed a potential security vulnerability where
malicious users could craft KV keys with unprintable chars that would confuse
operators using the CLI or UI into taking wrong actions. Users who had data
written in older versions of Consul that did not have this restriction will be
unable to delete those values by default in 1.0.3 or later. This setting
enables those users to _temporarily_ disable the filter such that delete
operations can work on those keys again to get back to a healthy state. It is
strongly recommended that this filter is not disabled permanently as it
exposes the original security vulnerability.
* <a name="disable_remote_exec"></a><a href="#disable_remote_exec">`disable_remote_exec`</a> * <a name="disable_remote_exec"></a><a href="#disable_remote_exec">`disable_remote_exec`</a>
Disables support for remote execution. When set to true, the agent will ignore any incoming Disables support for remote execution. When set to true, the agent will ignore any incoming
remote exec requests. In versions of Consul prior to 0.8, this defaulted to false. In Consul remote exec requests. In versions of Consul prior to 0.8, this defaulted to false. In Consul