Details
-
Bug
-
Status: Open
-
Minor
-
Resolution: Unresolved
-
1.3.1, 1.4.0
-
None
-
None
Description
I stumbled on something interesting and I want to make sure there is not a security implication. I can append anything to `/mesos/*/` endpoints and still have them resolve. The Mesos team suggested that this is something that should be addressed.
To reproduce:
1. Spin up a Mesos cluster, any environment is fine as this is a web UI issue.
2. Append `/mesos/slaves/<any string you want including /, and .>` to your Mesos master's address in the browser and it still resolves `/mesos/slaves`. The same applies to anything after `/mesos/state` and I would assume all the other Mesos endpoints following this URL pattern.
Example URLs that resolve when they probably should not:
https://<master-ip>/mesos/state/1/2/3/4/5/6/7/8/9
or https://<master-ip>/mesos/slaves/1/2/3/thisresolves/whenIt/should/not
Benno Evers from the Mesos team let me know this behavior is due to this section of code https://github.com/apache/mesos/blob/master/3rdparty/libprocess/src/process.cpp#L3953
Thanks and let me know if you need anything else from me.