Skip to content

Validate Watcher Proxy Allowlist#144759

Merged
jfreden merged 12 commits intoelastic:mainfrom
jfreden:watcher/validate_proxy_allowlist
Apr 1, 2026
Merged

Validate Watcher Proxy Allowlist#144759
jfreden merged 12 commits intoelastic:mainfrom
jfreden:watcher/validate_proxy_allowlist

Conversation

@jfreden
Copy link
Copy Markdown
Contributor

@jfreden jfreden commented Mar 23, 2026

Validates that a per-request proxy host is whitelisted. System-wide proxies configured via xpack.http.proxy.host are exempt.
@elasticsearchmachine elasticsearchmachine added v9.4.0 Team:Distributed Meta label for distributed team. labels Mar 23, 2026
@elasticsearchmachine
Copy link
Copy Markdown
Collaborator

elasticsearchmachine commented Mar 23, 2026

Pinging @elastic/es-distributed (Team:Distributed)
@elasticsearchmachine
Copy link
Copy Markdown
Collaborator

elasticsearchmachine commented Mar 23, 2026

Hi @jfreden, I've created a changelog YAML for you.
jfreden
jfreden commented Mar 23, 2026
View reviewed changes
Comment thread x-pack/plugin/watcher/src/main/java/org/elasticsearch/xpack/watcher/common/http/HttpClient.java
}

RequestConfig.Builder config = RequestConfig.custom();
validateProxyAgainstWhitelist(request.proxy);
Copy link
Copy Markdown
Contributor Author

@jfreden jfreden Mar 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Slightly worried about BWC here since it's been around for a while.
Copy link
Copy Markdown
Contributor

@ebarlas ebarlas Mar 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed. This could be an unwelcome surprise for users with a watcher proxy config not covered by the allowlist.

You might consider targeting the next minor version only rather than patch versions. But that leaves 8.19.x, 9.2.x, and 9.3.x systems vulnerable.
Copy link
Copy Markdown
Contributor Author

@jfreden jfreden Mar 24, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, it's a tricky tradeoff. After thinking some more about this I think targeting all branches makes the most sense. Here is my reasoning:

  • The default is no allow list (anything is allowed), so users with the default won't be impacted (probably most users)
  • If an explicit allow list is configured the user is worried about the vulnerability and want full protection, including checking the proxy host against the allow list.
  • The allow list is almost useless without this fix and it's a bug.

WDYT?
Copy link
Copy Markdown
Contributor

@ebarlas ebarlas Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed, that sounds reasonable to me.
@jfreden jfreden requested a review from a team March 23, 2026 14:52
@jfreden jfreden merged commit 9b6d5a2 into elastic:main Apr 1, 2026
35 checks passed
This was referenced Apr 2, 2026
Merged
Merged
Merged
@jfreden
Copy link
Copy Markdown
Contributor Author

jfreden commented Apr 2, 2026

💚 All backports created successfully

Status Branch Result
9.3
9.2
8.19

Questions ?

Please refer to the Backport tool documentation
jfreden added a commit to jfreden/elasticsearch that referenced this pull request Apr 2, 2026
@jfreden
Validate Watcher Proxy Allowlist (elastic#144759)
feafe2d 
* Validate Watcher Proxy Allowlist

* Update docs/changelog/144759.yaml

(cherry picked from commit 9b6d5a2)
jfreden added a commit to jfreden/elasticsearch that referenced this pull request Apr 2, 2026
@jfreden
Validate Watcher Proxy Allowlist (elastic#144759)
7100e82 
* Validate Watcher Proxy Allowlist

* Update docs/changelog/144759.yaml

(cherry picked from commit 9b6d5a2)
jfreden added a commit to jfreden/elasticsearch that referenced this pull request Apr 2, 2026
@jfreden
Validate Watcher Proxy Allowlist (elastic#144759)
3068567 
* Validate Watcher Proxy Allowlist

* Update docs/changelog/144759.yaml

(cherry picked from commit 9b6d5a2)
elasticsearchmachine pushed a commit that referenced this pull request Apr 2, 2026
@jfreden
Validate Watcher Proxy Allowlist (#144759) (#145528)
2e017bc 
* Validate Watcher Proxy Allowlist

* Update docs/changelog/144759.yaml

(cherry picked from commit 9b6d5a2)
elasticsearchmachine pushed a commit that referenced this pull request Apr 2, 2026
@jfreden
Validate Watcher Proxy Allowlist (#144759) (#145527)
175b3aa 
* Validate Watcher Proxy Allowlist

* Update docs/changelog/144759.yaml

(cherry picked from commit 9b6d5a2)
elasticsearchmachine pushed a commit that referenced this pull request Apr 2, 2026
@jfreden
Validate Watcher Proxy Allowlist (#144759) (#145526)
d5d246e 
* Validate Watcher Proxy Allowlist

* Update docs/changelog/144759.yaml

(cherry picked from commit 9b6d5a2)
mromaios pushed a commit to mromaios/elasticsearch that referenced this pull request Apr 9, 2026
@jfreden @mromaios
Validate Watcher Proxy Allowlist (elastic#144759)
7aa3237 
* Validate Watcher Proxy Allowlist

* Update docs/changelog/144759.yaml
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment