You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
we often see panics coming from our router when we get hit by people vuln scanning our app. we use lookupFunc to serve our frontend if no backend routes match. I think we're just missing a range check before evaluating. Obviously this isn't your code, but it's in the router in the code generated by goa. I'll raise this issue on the treemux repo too, but figured it was worth reporting here.
for what it's worth, it looks like the router hasn't been actively maintained in the last year, perhaps switching to a maintained router would be worthwhile?
an example URL that panics: GET /images/../cgi/cgi_i_filter.js
Here's the rough shape of our setup:
// LookupFunc is associated with a mux router. It permits querying the router to see if it// can respond to a request.typeLookupFuncfunc(w http.ResponseWriter, r*http.Request) (httptreemux.LookupResult, bool)
funcSinglePageApp(urlPrefix, dirPathstring, includeSourcemapsbool) func(h http.Handler, lookupFuncLookupFunc) http.Handler {
fs:=static.LocalFile(dirPath, true)
fileserver:=http.FileServer(fs)
ifurlPrefix!="" {
fileserver=http.StripPrefix(urlPrefix, fileserver)
}
returnfunc(h http.Handler, lookupFuncLookupFunc) http.Handler {
returnhttp.HandlerFunc(func(w http.ResponseWriter, r*http.Request) {
// If we have an official route for this request, we should skip our handler. We// only run when we can't find a match.if_, found:=lookupFunc(w, r); found {
h.ServeHTTP(w, r)
return
}
if!fs.Exists(urlPrefix, r.URL.Path) {
r.URL.Path="/"
}
// serving the SPA goes here
thanks! 馃檹
The text was updated successfully, but these errors were encountered:
Thank you for raising the issue. As you mentioned there isn't much Goa can do to fix this. However note that the generated code only requires an object that implements the Goa Muxer interface (and optionally MiddlewareMuxer). The generated example makes use of the router implemented in the Goa HTTP package which relies on httptreemux but that's just a default - not a requirement. I'd love to know if you can provide an alternative implementation that relies on a maintained router.
馃憢 hello!
we often see panics coming from our router when we get hit by people vuln scanning our app. we use lookupFunc to serve our frontend if no backend routes match. I think we're just missing a range check before evaluating. Obviously this isn't your code, but it's in the router in the code generated by goa. I'll raise this issue on the treemux repo too, but figured it was worth reporting here.
for what it's worth, it looks like the router hasn't been actively maintained in the last year, perhaps switching to a maintained router would be worthwhile?
an example URL that panics:
GET /images/../cgi/cgi_i_filter.js
Here's the rough shape of our setup:
thanks! 馃檹
The text was updated successfully, but these errors were encountered: