Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HTTP router lookupFunc panics with index out of range when given bad URLs #3158

Closed
arussellsaw opened this issue Oct 5, 2022 · 2 comments
Closed

HTTP router lookupFunc panics with index out of range when given bad URLs #3158

arussellsaw opened this issue Oct 5, 2022 · 2 comments
Labels
no-issue-activity

Comments

@arussellsaw
Copy link

arussellsaw commented Oct 5, 2022
edited

馃憢 hello!

we often see panics coming from our router when we get hit by people vuln scanning our app. we use lookupFunc to serve our frontend if no backend routes match. I think we're just missing a range check before evaluating. Obviously this isn't your code, but it's in the router in the code generated by goa. I'll raise this issue on the treemux repo too, but figured it was worth reporting here.

for what it's worth, it looks like the router hasn't been actively maintained in the last year, perhaps switching to a maintained router would be worthwhile?

an example URL that panics: GET /images/../cgi/cgi_i_filter.js

Here's the rough shape of our setup:

// LookupFunc is associated with a mux router. It permits querying the router to see if it
// can respond to a request.
type LookupFunc func(w http.ResponseWriter, r *http.Request) (httptreemux.LookupResult, bool)

func SinglePageApp(urlPrefix, dirPath string, includeSourcemaps bool) func(h http.Handler, lookupFunc LookupFunc) http.Handler {
	fs := static.LocalFile(dirPath, true)
	fileserver := http.FileServer(fs)
	if urlPrefix != "" {
		fileserver = http.StripPrefix(urlPrefix, fileserver)
	}

	return func(h http.Handler, lookupFunc LookupFunc) http.Handler {
		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
			// If we have an official route for this request, we should skip our handler. We
			// only run when we can't find a match.
			if _, found := lookupFunc(w, r); found {
				h.ServeHTTP(w, r)
				return
			}

			if !fs.Exists(urlPrefix, r.URL.Path) {
				r.URL.Path = "/"
			}
                         // serving the SPA goes here

thanks! 馃檹
@raphael
Copy link
Member

raphael commented Oct 10, 2022

Thank you for raising the issue. As you mentioned there isn't much Goa can do to fix this. However note that the generated code only requires an object that implements the Goa Muxer interface (and optionally MiddlewareMuxer). The generated example makes use of the router implemented in the Goa HTTP package which relies on httptreemux but that's just a default - not a requirement. I'd love to know if you can provide an alternative implementation that relies on a maintained router.

@github-actions
Copy link

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Dec 18, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
no-issue-activity
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@raphael @arussellsaw