Istio xDS Debug Handler Cross-Namespace Access Control Bypass Fix

### Vulnerability Overview A security vulnerability exists in Istio's xDS debug handler, where it fails to correctly pass or verify the caller's namespace. This can lead to cross-namespace access control bypasses, allowing users from one namespace to access debug information intended for another namespace. ### Affected Scope - `pilot/pkg/xds/debug_test.go` - `pilot/pkg/xds/debug.go` ### Remediation Plan 1. **Extract Namespace:** In the `processDebugRequest` function, extract `xds.CallerNamespaceKey` from the HTTP request context to obtain the caller's namespace. 2. **Pass Context:** Pass this namespace to `model.Resources` or `model.DefaultXDSLogDetails` to ensure the resource generation logic is aware of the caller's identity. 3. **Inject Context:** When creating the HTTP request, use `context.WithValue` to inject `CallerNamespaceKey` into the context, ensuring subsequent processing chains can retrieve this information. ### Key Code **1. Test Case (POC/Verification Logic)** ```go // TestDebugGenPassNamespaceContext verifies that DebugGen passes the caller namespace // to the internal HTTP handler via CallerNamespaceKey context. // This test FAILS without the fix (CallerNamespaceKey empty) and PASSES with the fix. func TestDebugGenPassNamespaceContext(t *testing.T) { var capturedNS string var handlerCalled bool mux := http.NewServeMux() mux.HandleFunc("/debug/", func(w http.ResponseWriter, r *http.Request) { handlerCalled = true capturedNS = r.Context().Value(xds.CallerNamespaceKey).(string) // Simulate what getDebugConnection does: if CallerNamespaceKey is empty, // the namespace check is skipped (security bug we're fixing) if capturedNS == "" { t.Fatal("CallerNamespaceKey not set in context - cross-namespace access would be allowed") } w.WriteHeader(http.StatusOK) }) s := xds.NewFakeDiscoveryServer(t, xds.FakeOptions{}) gen := xds.NewDebugGen(s.Discovery, "istio-system", mux) proxy := &model.Proxy{ ID: "test.production", VerifiedIdentity: &spiiffe.Identity{Namespace: "production"}, } watchedRes := &model.WatchedResource{ TypeUrl: v3.DebugType, ResourceNames: sets.New("config.dump"), } _, err := gen.Generate(proxy, watchedRes, nil) if err != nil { t.Fatalf("unexpected error: %v", err) } if !handlerCalled { t.Fatal("handler was not called") } assert.Equal(t, "production", capturedNS, "caller namespace should be passed to handler") } ``` **2. Remediation Code (debug.go)** ```go // ... imports ... import ( // ... "context" // ... ) // ... inside processDebugRequest ... func processDebugRequest(dg *DebugGen, resourceName string, callerNamespace string) bytes.Buffer { var buffer bytes.Buffer debugURL := "/debug/" + resourceName // Fix: Extract CallerNamespaceKey from context and inject it ctx := context.WithValue(context.Background(), xds.CallerNamespaceKey, callerNamespace) req, _ := http.NewRequestWithContext(ctx, http.MethodGet, debugURL, nil) handler := dg mux.Handler(req) response := dg mux.Capture() handler.ServeHTTP(response, req) return buffer } // ... inside processDebugRequest ... // Fix: Pass the retrieved namespace to model res := model.Resources(dg.Discovery.Resource( Name: resourceName, // ... )) buffer := processDebugRequest(dg, resourceName, proxy.VerifiedIdentity.Namespace) ```

Goal Reached Thanks to every supporter — we hit 100%!

Istio xDS Debug Handler Cross-Namespace Access Control Bypass Fix

More from this source