Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: block arbitrary file index #2497

Merged
merged 5 commits into from
Jul 6, 2022
Merged

fix: block arbitrary file index #2497

merged 5 commits into from
Jul 6, 2022

Conversation

bzp2010
Copy link
Contributor

@bzp2010 bzp2010 commented Jul 6, 2022

Please answer these questions before submitting a pull request, or your PR will get closed.

Why submit this pull request?

  • Bugfix
  • New feature provided
  • Improve performance
  • Backport patches

What changes will this PR take into?

The current middleware configuration may cause the caller to check if a file exists on the server by constructing a special URL, so new middleware is added to block requests with unusual characters in the URL.

Please note that this is not a serious problem, the current code prevents arbitrary file reading issues and no one can get access to the files on your server or write to any files.

Checklist:

  • Did you explain what problem does this PR solve? Or what new features have been added?
  • Have you added corresponding test cases?
  • Have you modified the corresponding document?
  • Is this PR backward compatible? If it is not backward compatible, please discuss on the mailing list first

@bzp2010 bzp2010 added the backend label Jul 6, 2022
@bzp2010 bzp2010 self-assigned this Jul 6, 2022
@codecov-commenter
Copy link

codecov-commenter commented Jul 6, 2022
edited
Loading

Codecov Report

Merging #2497 (4feb470) into master (4e1acf0) will increase coverage by 3.47%.
The diff coverage is 100.00%.

@@            Coverage Diff             @@
##           master    #2497      +/-   ##
==========================================
+ Coverage   68.52%   72.00%   +3.47%     
==========================================
  Files         133       61      -72     
  Lines        3498     3975     +477     
  Branches      860        0     -860     
==========================================
+ Hits         2397     2862     +465     
+ Misses       1101      819     -282     
- Partials        0      294     +294
Flag Coverage Δ
backend-e2e-test-ginkgo 64.95% <100.00%> (?)
backend-unit-test 50.61% <44.44%> (?)
frontend-e2e-test ?

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
api/internal/filter/invalid_request.go 100.00% <100.00%> (ø)
api/internal/route.go 87.50% <100.00%> (ø)
web/src/pages/Upstream/List.tsx
...src/pages/SSL/components/CertificateForm/index.tsx
...omponents/Upstream/components/ServiceDiscovery.tsx
...am/components/passive-check/Unhealthy/Timeouts.tsx
web/src/components/HeaderDropdown/index.tsx
web/src/pages/SSL/List.tsx
web/src/pages/Route/transform.ts
web/src/pages/Route/components/Step2/index.tsx
... and 185 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 36f1ba9...4feb470. Read the comment docs.

@juzhiyuan juzhiyuan merged commit bfc9c31 into apache:master Jul 6, 2022
bzp2010 added a commit to bzp2010/apisix-dashboard that referenced this pull request Jul 13, 2022
@bzp2010
fix: block arbitrary file index (apache#2497)
be8ca92 
(cherry picked from commit bfc9c31)
hongbinhsu pushed a commit to fitphp/apix-dashboard that referenced this pull request Sep 10, 2022
Merge branch 'upstream/master' into github/master
98a924c 
* upstream/master: (23 commits)
  feat: Add config struct of OpenID-Connect Login (apache#2597)
  feat: set serverUrlMap with env, update cypress, update stylelint (apache#2583)
  chore: fix function name typo (apache#2599)
  fix: page refresh causes deletion exception (apache#2593)
  feat: support show all enable plugin list tab (apache#2585)
  fix: drawer components delete plugin not working (apache#2573)
  feat: add batch delete function for route (apache#2502)
  test: reduce fe ci time (apache#2557)
  doc(csp): add correct csp rule (apache#2548)
  doc: add a notice about the compatibility of Ingress and Dashboard (apache#2552)
  fix: add judgement for last_report_time (apache#2551)
  fix: cli test invalid etcd (apache#2544)
  feat: fix actions version to root version (apache#2521)
  fix: duplicate ID (apache#2501)
  fix: block arbitrary file index (apache#2497)
  docs: update deploy-with-docker.md (apache#2472)
  feat: translating Turkish for new features (apache#2487)
  docs: add new import and export docs to sidebar (apache#2485)
  docs: add data loader and new OpenAPI 3 loader (apache#2484)
  feat: support data loader in frontend (apache#2480)
  ...

# Conflicts:
#	api/internal/route.go
#	web/config/defaultSettings.ts
#	web/yarn.lock
bzp2010 added a commit to bzp2010/apisix-dashboard that referenced this pull request Oct 31, 2022
@bzp2010
fix: block arbitrary file index (apache#2497)
ce54058 
(cherry picked from commit bfc9c31)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Baoyuantop Baoyuantop Baoyuantop approved these changes

@nic-chen nic-chen nic-chen approved these changes

@SkyeYoung SkyeYoung SkyeYoung approved these changes

@guoqqqi guoqqqi guoqqqi approved these changes

@juzhiyuan juzhiyuan Awaiting requested review from juzhiyuan

@nic-6443 nic-6443 Awaiting requested review from nic-6443

@starsz starsz Awaiting requested review from starsz

@LiteSun LiteSun Awaiting requested review from LiteSun

Assignees

@bzp2010 bzp2010

Labels
backend
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@bzp2010 @codecov-commenter @Baoyuantop @nic-chen @SkyeYoung @guoqqqi @juzhiyuan