mirror of
https://github.com/yusing/godoxy.git
synced 2025-06-09 04:52:35 +02:00
security: sanitize path and uri
This commit is contained in:
yusing
parent
4a5e0b8d81
commit
f3840d56af
5 changed files with 106 additions and 11 deletions
|
|
@ -19,6 +19,7 @@ import (
|
|||
gphttp "github.com/yusing/go-proxy/internal/net/gphttp"
|
||||
"github.com/yusing/go-proxy/internal/route/routes"
|
||||
route "github.com/yusing/go-proxy/internal/route/types"
|
||||
"github.com/yusing/go-proxy/internal/utils/strutils"
|
||||
)
|
||||
|
||||
type fetchResult struct {
|
||||
|
|
@ -207,10 +208,7 @@ func findIconSlow(r route.HTTPRoute, req *http.Request, uri string) *fetchResult
|
|||
defer cancel()
|
||||
newReq := req.WithContext(ctx)
|
||||
newReq.Header.Set("Accept-Encoding", "identity") // disable compression
|
||||
if !strings.HasPrefix(uri, "/") {
|
||||
uri = "/" + uri
|
||||
}
|
||||
u, err := url.ParseRequestURI(uri)
|
||||
u, err := url.ParseRequestURI(strutils.SanitizeURI(uri))
|
||||
if err != nil {
|
||||
logging.Error().Err(err).
|
||||
Str("route", r.TargetName()).
|
||||
|
|
@ -231,11 +229,8 @@ func findIconSlow(r route.HTTPRoute, req *http.Request, uri string) *fetchResult
|
|||
return &fetchResult{statusCode: http.StatusBadGateway, errMsg: "connection error"}
|
||||
default:
|
||||
if loc := c.Header().Get("Location"); loc != "" {
|
||||
loc = path.Clean(loc)
|
||||
if !strings.HasPrefix(loc, "/") {
|
||||
loc = "/" + loc
|
||||
}
|
||||
if loc == newReq.URL.Path {
|
||||
loc = strutils.SanitizeURI(loc)
|
||||
if loc == "/" || loc == newReq.URL.Path {
|
||||
return &fetchResult{statusCode: http.StatusBadGateway, errMsg: "circular redirect"}
|
||||
}
|
||||
return findIconSlow(r, req, loc)
|
||||
|
|
|
|||
|
|
@ -126,11 +126,17 @@ func VerifyNewAgent(w http.ResponseWriter, r *http.Request) {
|
|||
return
|
||||
}
|
||||
|
||||
if err := os.WriteFile(certs.AgentCertsFilename(data.Host), zip, 0600); err != nil {
|
||||
filename := certs.AgentCertsFilename(data.Host)
|
||||
if !strutils.IsValidFilename(filename) {
|
||||
gphttp.ClientError(w, gphttp.ErrInvalidKey("host"))
|
||||
return
|
||||
}
|
||||
|
||||
if err := os.WriteFile(filename, zip, 0600); err != nil {
|
||||
gphttp.ServerError(w, r, err)
|
||||
return
|
||||
}
|
||||
|
||||
w.WriteHeader(http.StatusOK)
|
||||
w.Write([]byte(fmt.Sprintf("Added %d routes", nRoutesAdded)))
|
||||
w.Write(fmt.Appendf(nil, "Added %d routes", nRoutesAdded))
|
||||
}
|
||||
|
|
|
|||
11
internal/utils/strutils/filepath.go
Normal file
11
internal/utils/strutils/filepath.go
Normal file
|
|
@ -0,0 +1,11 @@
|
|||
package strutils
|
||||
|
||||
import "strings"
|
||||
|
||||
// IsValidFilename checks if a filename is safe and doesn't contain path traversal attempts
|
||||
// Returns true if the filename is valid, false otherwise
|
||||
func IsValidFilename(filename string) bool {
|
||||
return !strings.Contains(filename, "/") &&
|
||||
!strings.Contains(filename, "\\") &&
|
||||
!strings.Contains(filename, "..")
|
||||
}
|
||||
20
internal/utils/strutils/url.go
Normal file
20
internal/utils/strutils/url.go
Normal file
|
|
@ -0,0 +1,20 @@
|
|||
package strutils
|
||||
|
||||
import "path"
|
||||
|
||||
// SanitizeURI sanitizes a URI reference to ensure it is safe
|
||||
// It disallows URLs beginning with // or /\ as absolute URLs,
|
||||
// cleans the URL path to remove any .. or . path elements,
|
||||
// and ensures the URL starts with a / if it doesn't already
|
||||
func SanitizeURI(uri string) string {
|
||||
if uri == "" {
|
||||
return "/"
|
||||
}
|
||||
if uri[0] != '/' {
|
||||
uri = "/" + uri
|
||||
}
|
||||
if len(uri) > 1 && uri[0] == '/' && uri[1] != '/' && uri[1] != '\\' {
|
||||
return path.Clean(uri)
|
||||
}
|
||||
return "/"
|
||||
}
|
||||
63
internal/utils/strutils/url_test.go
Normal file
63
internal/utils/strutils/url_test.go
Normal file
|
|
@ -0,0 +1,63 @@
|
|||
package strutils
|
||||
|
||||
import (
|
||||
"testing"
|
||||
|
||||
"github.com/stretchr/testify/require"
|
||||
)
|
||||
|
||||
func TestSanitizeURI(t *testing.T) {
|
||||
tests := []struct {
|
||||
name string
|
||||
input string
|
||||
expected string
|
||||
}{
|
||||
{
|
||||
name: "empty string",
|
||||
input: "",
|
||||
expected: "/",
|
||||
},
|
||||
{
|
||||
name: "single slash",
|
||||
input: "/",
|
||||
expected: "/",
|
||||
},
|
||||
{
|
||||
name: "normal path",
|
||||
input: "/path/to/resource",
|
||||
expected: "/path/to/resource",
|
||||
},
|
||||
{
|
||||
name: "path without leading slash",
|
||||
input: "path/to/resource",
|
||||
expected: "/path/to/resource",
|
||||
},
|
||||
{
|
||||
name: "path with dot segments",
|
||||
input: "/path/./to/../resource",
|
||||
expected: "/path/resource",
|
||||
},
|
||||
{
|
||||
name: "double slash prefix",
|
||||
input: "//path/to/resource",
|
||||
expected: "/",
|
||||
},
|
||||
{
|
||||
name: "backslash prefix",
|
||||
input: "/\\path/to/resource",
|
||||
expected: "/",
|
||||
},
|
||||
{
|
||||
name: "path with multiple slashes",
|
||||
input: "/path//to///resource",
|
||||
expected: "/path/to/resource",
|
||||
},
|
||||
}
|
||||
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
result := SanitizeURI(tt.input)
|
||||
require.Equal(t, tt.expected, result)
|
||||
})
|
||||
}
|
||||
}
|
||||
Loading…
Add table
Reference in a new issue