TyleoDvDelaware3217/GoDoxy
1
0
Fork 0
mirror of https://github.com/yusing/godoxy.git synced 2025-06-09 04:52:35 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

security: sanitize path and uri

Browse source
This commit is contained in:
yusing 2025-03-22 23:53:33 +08:00
parent 4a5e0b8d81
commit f3840d56af
5 changed files with 106 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
internal/api/v1/favicon/favicon.go
View file

@ -19,6 +19,7 @@ import (
gphttp "github.com/yusing/go-proxy/internal/net/gphttp" gphttp "github.com/yusing/go-proxy/internal/net/gphttp"
"github.com/yusing/go-proxy/internal/route/routes" "github.com/yusing/go-proxy/internal/route/routes"
route "github.com/yusing/go-proxy/internal/route/types" route "github.com/yusing/go-proxy/internal/route/types"
"github.com/yusing/go-proxy/internal/utils/strutils"
) )
type fetchResult struct { type fetchResult struct {
@ -207,10 +208,7 @@ func findIconSlow(r route.HTTPRoute, req *http.Request, uri string) *fetchResult
defer cancel() defer cancel()
newReq := req.WithContext(ctx) newReq := req.WithContext(ctx)
newReq.Header.Set("Accept-Encoding", "identity") // disable compression newReq.Header.Set("Accept-Encoding", "identity") // disable compression
if !strings.HasPrefix(uri, "/") { u, err := url.ParseRequestURI(strutils.SanitizeURI(uri))
uri = "/" + uri
}
u, err := url.ParseRequestURI(uri)
if err != nil { if err != nil {
logging.Error().Err(err). logging.Error().Err(err).
Str("route", r.TargetName()). Str("route", r.TargetName()).
@ -231,11 +229,8 @@ func findIconSlow(r route.HTTPRoute, req *http.Request, uri string) *fetchResult
return &fetchResult{statusCode: http.StatusBadGateway, errMsg: "connection error"} return &fetchResult{statusCode: http.StatusBadGateway, errMsg: "connection error"}
default: default:
if loc := c.Header().Get("Location"); loc != "" { if loc := c.Header().Get("Location"); loc != "" {
loc = path.Clean(loc) loc = strutils.SanitizeURI(loc)
if !strings.HasPrefix(loc, "/") { if loc == "/" || loc == newReq.URL.Path {
loc = "/" + loc
}
if loc == newReq.URL.Path {
return &fetchResult{statusCode: http.StatusBadGateway, errMsg: "circular redirect"} return &fetchResult{statusCode: http.StatusBadGateway, errMsg: "circular redirect"}
} }
return findIconSlow(r, req, loc) return findIconSlow(r, req, loc)

10
internal/api/v1/new_agent.go
View file

@ -126,11 +126,17 @@ func VerifyNewAgent(w http.ResponseWriter, r *http.Request) {
return return
} }
if err := os.WriteFile(certs.AgentCertsFilename(data.Host), zip, 0600); err != nil { filename := certs.AgentCertsFilename(data.Host)
if !strutils.IsValidFilename(filename) {
gphttp.ClientError(w, gphttp.ErrInvalidKey("host"))
return
}
if err := os.WriteFile(filename, zip, 0600); err != nil {
gphttp.ServerError(w, r, err) gphttp.ServerError(w, r, err)
return return
} }
w.WriteHeader(http.StatusOK) w.WriteHeader(http.StatusOK)
w.Write([]byte(fmt.Sprintf("Added %d routes", nRoutesAdded))) w.Write(fmt.Appendf(nil, "Added %d routes", nRoutesAdded))
} }

11
internal/utils/strutils/filepath.go Normal file
View file

@ -0,0 +1,11 @@
package strutils
import "strings"
// IsValidFilename checks if a filename is safe and doesn't contain path traversal attempts
// Returns true if the filename is valid, false otherwise
func IsValidFilename(filename string) bool {
return !strings.Contains(filename, "/") &&
!strings.Contains(filename, "\\") &&
!strings.Contains(filename, "..")
}

20
internal/utils/strutils/url.go Normal file
View file

@ -0,0 +1,20 @@
package strutils
import "path"
// SanitizeURI sanitizes a URI reference to ensure it is safe
// It disallows URLs beginning with // or /\ as absolute URLs,
// cleans the URL path to remove any .. or . path elements,
// and ensures the URL starts with a / if it doesn't already
func SanitizeURI(uri string) string {
if uri == "" {
return "/"
}
if uri[0] != '/' {
uri = "/" + uri
}
if len(uri) > 1 && uri[0] == '/' && uri[1] != '/' && uri[1] != '\\' {
return path.Clean(uri)
}
return "/"
}

63
internal/utils/strutils/url_test.go Normal file
View file

@ -0,0 +1,63 @@
package strutils
import (
"testing"
"github.com/stretchr/testify/require"
)
func TestSanitizeURI(t *testing.T) {
tests := []struct {
name string
input string
expected string
}{
{
name: "empty string",
input: "",
expected: "/",
},
{
name: "single slash",
input: "/",
expected: "/",
},
{
name: "normal path",
input: "/path/to/resource",
expected: "/path/to/resource",
},
{
name: "path without leading slash",
input: "path/to/resource",
expected: "/path/to/resource",
},
{
name: "path with dot segments",
input: "/path/./to/../resource",
expected: "/path/resource",
},
{
name: "double slash prefix",
input: "//path/to/resource",
expected: "/",
},
{
name: "backslash prefix",
input: "/\\path/to/resource",
expected: "/",
},
{
name: "path with multiple slashes",
input: "/path//to///resource",
expected: "/path/to/resource",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
result := SanitizeURI(tt.input)
require.Equal(t, tt.expected, result)
})
}
}