Backport CVE-2026-50221 gatekeeper SSRF fix to elastx/yoga#2
Open
Brittlejf wants to merge 1 commit into
Open
Conversation
Backport of the upstream fix for CVE-2026-50221 / OSSA-2026-024 (Swift proxy-server SSRF via header injection) to the elastx/yoga branch. There are a variety of headers that object-servers use to update container-servers, or that container-servers use to update account-servers. None of them start with X-Backend- (they predated that namespace), and previously were not blocked by the gatekeeper. As a result, a malicious authenticated client could direct the object-server to send updates to unintended locations (server-side request forgery). Now block all update-related X-Account-*, X-Container-*, and X-Delete-At-* headers at the gatekeeper. Upstream only backported as far as 2025.1/epoxy; Yoga is EOL upstream, so this carries the same change onto our fork. Cherry-picked from upstream commit 75b050f (2025.1/epoxy backport: https://review.opendev.org/994452). Fixes: CVE-2026-50221 Closes-Bug: #2150261 Original-Author: Tim Burke <tim.burke@gmail.com>
jhindersson
approved these changes
Jun 24, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Backports the upstream fix for CVE-2026-50221 / OSSA-2026-024 (Swift proxy-server SSRF via header injection) to our
elastx/yogafork.The gatekeeper middleware did not block the legacy
X-Account-*/X-Container-*/X-Delete-At-*update headers (host/device/partition/etc.) that predate theX-Backend-namespace. An authenticated client could inject them so the object-server issues updates to attacker-chosen hosts (SSRF). This adds those patterns toinbound_exclusions.Yoga is EOL upstream; the official fix only goes back to 2025.1/epoxy (https://review.opendev.org/994452). This carries the same change (upstream commit
75b050fdb1d1a6096f3765faa3b2059e28065d13) onto our branch.Testing
Regex logic validated to block all 11 update headers while passing legitimate headers (
X-Delete-At,X-*-Meta-*,X-Container-Sync-To,X-Account-Hostname,X-Delete-After). Mirrors the upstream unit-test additions intest_gatekeeper.py.Impact
Strips these headers only from inbound client->proxy requests; the identical headers Swift generates internally are added downstream of the gatekeeper, so replication/update/expiry traffic is unaffected. No on-disk/DB/ring/config/API change. Deploy via the
os-swiftplaybook (Swift venv rebuild + rolling proxy restart).Refs: OSSA-2026-024 · Closes-Bug #2150261