Skip to content

Backport CVE-2026-50221 gatekeeper SSRF fix to elastx/yoga#2

Open
Brittlejf wants to merge 1 commit into
elastx/yogafrom
fix/cve-2026-50221-gatekeeper-ssrf
Open

Backport CVE-2026-50221 gatekeeper SSRF fix to elastx/yoga#2
Brittlejf wants to merge 1 commit into
elastx/yogafrom
fix/cve-2026-50221-gatekeeper-ssrf

Conversation

@Brittlejf

Copy link
Copy Markdown
Member

Backports the upstream fix for CVE-2026-50221 / OSSA-2026-024 (Swift proxy-server SSRF via header injection) to our elastx/yoga fork.

The gatekeeper middleware did not block the legacy X-Account-* / X-Container-* / X-Delete-At-* update headers (host/device/partition/etc.) that predate the X-Backend- namespace. An authenticated client could inject them so the object-server issues updates to attacker-chosen hosts (SSRF). This adds those patterns to inbound_exclusions.

Yoga is EOL upstream; the official fix only goes back to 2025.1/epoxy (https://review.opendev.org/994452). This carries the same change (upstream commit 75b050fdb1d1a6096f3765faa3b2059e28065d13) onto our branch.

Testing

Regex logic validated to block all 11 update headers while passing legitimate headers (X-Delete-At, X-*-Meta-*, X-Container-Sync-To, X-Account-Hostname, X-Delete-After). Mirrors the upstream unit-test additions in test_gatekeeper.py.

Impact

Strips these headers only from inbound client->proxy requests; the identical headers Swift generates internally are added downstream of the gatekeeper, so replication/update/expiry traffic is unaffected. No on-disk/DB/ring/config/API change. Deploy via the os-swift playbook (Swift venv rebuild + rolling proxy restart).

Refs: OSSA-2026-024 · Closes-Bug #2150261

Backport of the upstream fix for CVE-2026-50221 / OSSA-2026-024
(Swift proxy-server SSRF via header injection) to the elastx/yoga branch.

There are a variety of headers that object-servers use to update
container-servers, or that container-servers use to update account-servers.
None of them start with X-Backend- (they predated that namespace), and
previously were not blocked by the gatekeeper. As a result, a malicious
authenticated client could direct the object-server to send updates to
unintended locations (server-side request forgery).

Now block all update-related X-Account-*, X-Container-*, and X-Delete-At-*
headers at the gatekeeper. Upstream only backported as far as 2025.1/epoxy;
Yoga is EOL upstream, so this carries the same change onto our fork.

Cherry-picked from upstream commit 75b050f
(2025.1/epoxy backport: https://review.opendev.org/994452).

Fixes: CVE-2026-50221
Closes-Bug: #2150261
Original-Author: Tim Burke <tim.burke@gmail.com>
@Brittlejf Brittlejf self-assigned this Jun 23, 2026
@Brittlejf Brittlejf marked this pull request as ready for review June 23, 2026 16:22
@Brittlejf Brittlejf requested a review from a team June 23, 2026 16:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants