sso_*: proxy path-components with %-escaped characters in tact. #284
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Problem
When proxying to a path with a %-encoded
/
character (i.e.%2F
), the Golanghttp.ServeMux
class auto-unwraps the %-encoding. It then usespath.Clean()
to "helpfully" normalize successive/
characters (e.g./a/b//c
to/a/b/c
,/a/b/../c
to/a
, etc).Though admittedly an edge-case, the unintended side-effect is that a URL whose path contains a %-encoded URL will be proxied incorrectly. Fo instance, the URL
https://example.com/path/http:%2F%2Ffoo.com/
will be proxied to
https://example.com/path/http:/foo.com/
.Solution
Replace use of
http.ServeMux
with themux.Router
class from the popular https://github.com/gorilla/mux library, which allows use ofURL.EscapedPath()
in lieu of directly readingURL.Path
. This preserves the %-wrapping of path-components, which in turn preventspath.Clean()
from errantly rewriting the path.Notes
The motivating example derives from the popular open-source Jenkins project, which uses URLs in such a form to check the health of a reverse-proxy - Hence this bug causes a Jenkins instance behind an SSO deployment to report a "broken" reverse-proxy configuration.