TestCmdlineEndpointsNotExposed ensures that endpoints which expose the full process command line are not reachable without authentication. Both debug/pprof/cmdline (net/http/pprof) and /debug/vars (expvar, which publishes os.Args as "cmdline") can leak the admin token passed via --security "token=..
(t *testing.T)
| 833 | // publishes os.Args as "cmdline") can leak the admin token passed via |
| 834 | // --security "token=...". |
| 835 | func TestCmdlineEndpointsNotExposed(t *testing.T) { |
| 836 | // /debug/pprof/cmdline must be blocked. |
| 837 | resp, err := http.Get(fmt.Sprintf("%s/debug/pprof/cmdline", addr)) |
| 838 | require.NoError(t, err) |
| 839 | defer resp.Body.Close() |
| 840 | require.Equal(t, http.StatusNotFound, resp.StatusCode, |
| 841 | "/debug/pprof/cmdline should return 404; got %d", resp.StatusCode) |
| 842 | |
| 843 | // /debug/vars must still be reachable but must NOT include "cmdline". |
| 844 | resp2, err := http.Get(fmt.Sprintf("%s/debug/vars", addr)) |
| 845 | require.NoError(t, err) |
| 846 | defer resp2.Body.Close() |
| 847 | require.Equal(t, http.StatusOK, resp2.StatusCode, |
| 848 | "/debug/vars should return 200; got %d", resp2.StatusCode) |
| 849 | body, err := io.ReadAll(resp2.Body) |
| 850 | require.NoError(t, err) |
| 851 | var vars map[string]json.RawMessage |
| 852 | require.NoError(t, json.Unmarshal(body, &vars)) |
| 853 | _, hasCmdline := vars["cmdline"] |
| 854 | require.False(t, hasCmdline, |
| 855 | "/debug/vars response must not contain the cmdline key") |
| 856 | |
| 857 | // Sanity-check that other pprof endpoints are still reachable. |
| 858 | resp3, err := http.Get(fmt.Sprintf("%s/debug/pprof/heap", addr)) |
| 859 | require.NoError(t, err) |
| 860 | defer resp3.Body.Close() |
| 861 | require.Equal(t, http.StatusOK, resp3.StatusCode, |
| 862 | "/debug/pprof/heap should return 200; got %d", resp3.StatusCode) |
| 863 | } |
| 864 | |
| 865 | func setDrainingMode(t *testing.T, enable bool, accessJwt string) { |
| 866 | drainingRequest := `mutation drain($enable: Boolean) { |