Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sso_*: proxy path-components with %-escaped characters in tact. #284

Merged
merged 2 commits into from
Mar 8, 2020
Merged

sso_*: proxy path-components with %-escaped characters in tact. #284

merged 2 commits into from
Mar 8, 2020

Conversation

katzdm
Copy link
Contributor

@katzdm katzdm commented Mar 6, 2020

Problem

When proxying to a path with a %-encoded / character (i.e. %2F), the Golang http.ServeMux class auto-unwraps the %-encoding. It then uses path.Clean() to "helpfully" normalize successive / characters (e.g. /a/b//c to /a/b/c, /a/b/../c to /a, etc).

Though admittedly an edge-case, the unintended side-effect is that a URL whose path contains a %-encoded URL will be proxied incorrectly. Fo instance, the URL
https://example.com/path/http:%2F%2Ffoo.com/
will be proxied to
https://example.com/path/http:/foo.com/.

Solution

Replace use of http.ServeMux with the mux.Router class from the popular https://github.com/gorilla/mux library, which allows use of URL.EscapedPath() in lieu of directly reading URL.Path. This preserves the %-wrapping of path-components, which in turn prevents path.Clean() from errantly rewriting the path.

Notes

The motivating example derives from the popular open-source Jenkins project, which uses URLs in such a form to check the health of a reverse-proxy - Hence this bug causes a Jenkins instance behind an SSO deployment to report a "broken" reverse-proxy configuration.

@katzdm katzdm requested a review from jphines March 6, 2020 16:05
jphines
jphines suggested changes Mar 6, 2020
View reviewed changes
Copy link
Contributor

@jphines jphines left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good -- but I'd like to see a test added to the proxy side.

@codecov
Copy link

codecov bot commented Mar 7, 2020
edited
Loading

Codecov Report

Merging #284 into master will increase coverage by 0.00%.
The diff coverage is 100.00%.

Impacted file tree graph

@@           Coverage Diff           @@
##           master     #284   +/-   ##
=======================================
  Coverage   61.85%   61.85%           
=======================================
  Files          57       57           
  Lines        4637     4638    +1     
=======================================
+ Hits         2868     2869    +1     
  Misses       1556     1556           
  Partials      213      213

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update f070dc5...de0300b. Read the comment docs.

@katzdm
Copy link
Contributor Author

katzdm commented Mar 7, 2020

This looks good -- but I'd like to see a test added to the proxy side.

Great idea - Done; I've added one to oauthproxy_test.go.

@katzdm katzdm requested a review from jphines March 7, 2020 00:52
@katzdm katzdm merged commit 5b956e9 into master Mar 8, 2020
@katzdm katzdm deleted the no-escape-paths branch March 8, 2020 16:22
@Jusshersmith Jusshersmith changed the title Proxy path-components with %-escaped characters in tact. sso_*: Proxy path-components with %-escaped characters in tact. Jun 23, 2021
@Jusshersmith Jusshersmith changed the title sso_*: Proxy path-components with %-escaped characters in tact. sso_*: proxy path-components with %-escaped characters in tact. Jun 23, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jphines jphines jphines approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@katzdm @jphines