diff options
| author | Gabriel Marks <gabriel.marks@mongodb.com> | 2020-08-06 17:20:49 +0000 |
|---|---|---|
| committer | Evergreen Agent <no-reply@evergreen.mongodb.com> | 2020-08-07 16:59:33 +0000 |
| commit | adb23953e19f055aed6a19ead71d36d64ff2f069 (patch) | |
| tree | 32744be0d1891ba6d12c073bc263b47eb2866d38 /src/mongo | |
| parent | ccdc110fda7a7ba4bcd19eb731264448555e00d7 (diff) | |
| download | mongo-adb23953e19f055aed6a19ead71d36d64ff2f069.tar.gz | |
SERVER-49081 Add check for IP addresses in split horizon configurations
Diffstat (limited to 'src/mongo')
| -rw-r--r-- | src/mongo/db/repl/repl_server_parameters.idl | 9 | ||||
| -rw-r--r-- | src/mongo/db/repl/repl_set_config.cpp | 27 |
2 files changed, 36 insertions, 0 deletions
diff --git a/src/mongo/db/repl/repl_server_parameters.idl b/src/mongo/db/repl/repl_server_parameters.idl index 42de982716f..87791f827bc 100644 --- a/src/mongo/db/repl/repl_server_parameters.idl +++ b/src/mongo/db/repl/repl_server_parameters.idl @@ -314,3 +314,12 @@ server_parameters: default: 3 validator: gt: 0 + + disableSplitHorizonIPCheck: + description: >- + If true, disable check for IP addresses in split horizon configurations. As per the + definition of SNI laid out in RFC6066, literal IP addresses are not allowed as server names. + set_at: startup + cpp_vartype: bool + cpp_varname: disableSplitHorizonIPCheck + default: false diff --git a/src/mongo/db/repl/repl_set_config.cpp b/src/mongo/db/repl/repl_set_config.cpp index 114fd84df18..27440b43e12 100644 --- a/src/mongo/db/repl/repl_set_config.cpp +++ b/src/mongo/db/repl/repl_set_config.cpp @@ -40,6 +40,7 @@ #include "mongo/bson/util/bson_extract.h" #include "mongo/db/jsobj.h" #include "mongo/db/mongod_options.h" +#include "mongo/db/repl/repl_server_parameters_gen.h" #include "mongo/db/server_options.h" #include "mongo/logv2/log.h" #include "mongo/util/str.h" @@ -65,6 +66,11 @@ const Milliseconds ReplSetConfig::kDefaultCatchUpTakeoverDelay(30000); namespace { const std::string kStepDownCheckWriteConcernModeName = "$stepDownCheck"; + +bool isValidCIDRRange(StringData host) { + return CIDR::parse(host).isOK(); +} + } // namespace /* static */ @@ -198,6 +204,27 @@ Status ReplSetConfig::validate() const { for (size_t i = 0; i < getMembers().size(); ++i) { const MemberConfig& memberI = getMembers()[i]; + // Check that no horizon mappings contain IP addresses + if (!disableSplitHorizonIPCheck) { + for (auto&& mapping : memberI.getHorizonMappings()) { + // Ignore the default horizon -- this can be an IP + if (mapping.first == SplitHorizon::kDefaultHorizon) { + continue; + } + + // Anything which can be parsed as a valid CIDR range will cause failure + if (isValidCIDRRange(mapping.second.host())) { + return Status(ErrorCodes::UnsupportedFormat, + str::stream() << "Found split horizon configuration using IP " + "address, which is disallowed: " + << kMembersFieldName << "." << i << "." + << MemberConfig::kHorizonsFieldName + << " contains entry {\"" << mapping.first + << "\": \"" << mapping.second.toString() << "\"}"); + } + } + } + // Check the replica set configuration for errors in horizon specification: // * Check that all members have the same set of horizon names // * Check that no hostname:port appears more than once for any member |