Kong · subnetmarco · Feb 21, 2017 · Feb 21, 2017
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -40,6 +40,8 @@ perform significantly better than any previous version.
 - Separate Admin API and Proxy error logs. Admin API logs are now written to
   `logs/admin_access.log`.
   [#1782](https://github.com/Mashape/kong/pull/1782)
+- Final slashes in `upstream_url` are no longer allowed.
+  [#2115](https://github.com/Mashape/kong/pull/2115)
 
 ### Added
 

diff --git a/kong/dao/migrations/cassandra.lua b/kong/dao/migrations/cassandra.lua
@@ -278,6 +278,11 @@ return {
         local hosts
         local uris
 
+        local upstream_url = row.upstream_url
+        while string.sub(upstream_url, #upstream_url) == "/" do
+          upstream_url = string.sub(upstream_url, 1, #upstream_url - 1)
+        end
+
         if row.request_host then
           hosts = { row.request_host }
         end
@@ -290,6 +295,7 @@ return {
           hosts = hosts,
           uris = uris,
           strip_uri = row.strip_request_path,
+          upstream_url = upstream_url,
         }, { id = row.id })
         if err then
           return err

diff --git a/kong/dao/migrations/postgres.lua b/kong/dao/migrations/postgres.lua
@@ -264,6 +264,12 @@ return {
       for _, row in ipairs(rows) do
         local set = {}
 
+        local upstream_url = row.upstream_url
+        while string.sub(upstream_url, #upstream_url) == "/" do
+          upstream_url = string.sub(upstream_url, 1, #upstream_url - 1)
+        end
+        set[#set + 1] = fmt("upstream_url = '%s'", upstream_url)
+
         if row.request_host and row.request_host ~= "" then
           set[#set + 1] = fmt("hosts = '%s'", 
                               cjson.encode({ row.request_host }))

diff --git a/kong/dao/schemas/apis.lua b/kong/dao/schemas/apis.lua
@@ -5,7 +5,7 @@ local Errors = require "kong.dao.errors"
 local sub = string.sub
 local match = string.match
 
-local function validate_upstream_url_protocol(value)
+local function validate_upstream_url(value)
   local parsed_url = url.parse(value)
   if parsed_url.scheme and parsed_url.host then
     parsed_url.scheme = parsed_url.scheme:lower()
@@ -14,6 +14,10 @@ local function validate_upstream_url_protocol(value)
     end
   end
 
+  if parsed_url.path and string.sub(value, #value) == "/" then
+    return false, "Cannot end with a slash"
+  end
+
   return true
 end
 
@@ -198,7 +202,7 @@ return {
     strip_uri = {type = "boolean", default = true},
     https_only = {type = "boolean", default = false},
     http_if_terminated = {type = "boolean", default = true},
-    upstream_url = {type = "url", required = true, func = validate_upstream_url_protocol},
+    upstream_url = {type = "url", required = true, func = validate_upstream_url},
     preserve_host = {type = "boolean", default = false},
     retries = {type = "number", default = 5, func = check_smallint},
     upstream_connect_timeout = {type = "number", default = 60000, func = check_u_int},

diff --git a/spec/01-unit/08-entities_schemas_spec.lua b/spec/01-unit/08-entities_schemas_spec.lua
@@ -76,6 +76,16 @@ describe("Entities Schemas", function()
         }, api_schema)
         assert.is_false(valid)
         assert.equal("Supported protocols are HTTP and HTTPS", errors.upstream_url)
+      end)
+
+      it("should return error with final slash in upstream_url", function()
+        local valid, errors = validate_entity({
+          name = "mockbin",
+          upstream_url = "http://mockbin.com/",
+          hosts = { "mockbin.com" },
+        }, api_schema)
+        assert.is_false(valid)
+        assert.equal("Cannot end with a slash", errors.upstream_url)
 
       end)
 

diff --git a/spec/02-integration/02-dao/04-constraints_spec.lua b/spec/02-integration/02-dao/04-constraints_spec.lua
@@ -45,7 +45,7 @@ helpers.for_each_dao(function(kong_config)
         assert.falsy(err)
         assert.is_table(plugin)
         assert.equal(api_fixture.id, plugin.api_id)
-        assert.same({hide_credentials = false, key_names = {"apikey"}, anonymous = false}, plugin.config)
+        assert.same({hide_credentials = false, key_names = {"apikey"}, anonymous = ""}, plugin.config)
       end)
       it("insert a valid plugin bis", function()
         plugin_fixture.api_id = api_fixture.id
@@ -55,7 +55,7 @@ helpers.for_each_dao(function(kong_config)
         assert.falsy(err)
         assert.is_table(plugin)
         assert.equal(api_fixture.id, plugin.api_id)
-        assert.same({hide_credentials = false, key_names = {"api_key"}, anonymous = false}, plugin.config)
+        assert.same({hide_credentials = false, key_names = {"api_key"}, anonymous = ""}, plugin.config)
       end)
       describe("unique per API/Consumer", function()
         it("API/Plugin", function()