Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Denial-of-Service at net/url.(*URL).Query by "//%2f" #41153

Closed
dwisiswant0 opened this issue Sep 1, 2020 · 5 comments
Closed

Denial-of-Service at net/url.(*URL).Query by "//%2f" #41153

dwisiswant0 opened this issue Sep 1, 2020 · 5 comments

Comments

@dwisiswant0
Copy link

@dwisiswant0 dwisiswant0 commented Sep 1, 2020

What version of Go are you using (go version)?

$ go version
go version go1.14.7 linux/amd64

Does this issue reproduce with the latest release?

Yes.

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN="/home/dw1/.go/bin"
GOCACHE="/home/dw1/.cache/go-build"
GOENV="/home/dw1/.config/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/home/dw1/.go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/snap/go/6274"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/snap/go/6274/pkg/tool/linux_amd64"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build141242694=/tmp/go-build -gno-record-gcc-switches"

What did you do?

package main

import (
	"fmt"
	"net/url"
)

func main() {
	raw := "//%2f?id=1"
	prs, _ := url.Parse(raw)
	qry := prs.Query()

	fmt.Println(qry)
}

Initially, I tried to parse query from URLs under several conditions:

String Status
/%2f?id=1 OK
//?id=1 OK
//%2f?id=1 PANIC
///?id=1 OK
///%2f?id=1 OK

What did you expect to see?

map[id:[1]]

What did you see instead?

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x60 pc=0x49a342]

goroutine 1 [running]:
net/url.(*URL).Query(0x0, 0xa)
        /snap/go/6274/src/net/url/url.go:1032 +0x22
main.main()
        /tmp/query-test.go:11 +0x48
exit status 2
@davecheney
Copy link
Contributor

@davecheney davecheney commented Sep 1, 2020

I don’t think we can accept this bug report as your sample does not check the error returned from URL.Parse

@dwisiswant0
Copy link
Author

@dwisiswant0 dwisiswant0 commented Sep 1, 2020

Aight, but from the conditions that I describe, if I check for an error return:
invalid URL escape "%2f"

And still valid for:

String Status
/%2f?id=1 PASSED
//?id=1 PASSED
//%2f?id=1 NOPE
///?id=1 PASSED
///%2f?id=1 PASSED
@davecheney
Copy link
Contributor

@davecheney davecheney commented Sep 1, 2020

Would you be able to rewrite your issue report to include correct error handling. Thank you

@dwisiswant0
Copy link
Author

@dwisiswant0 dwisiswant0 commented Sep 1, 2020

On it.

@dwisiswant0 dwisiswant0 closed this Sep 1, 2020
@rsc
Copy link
Contributor

@rsc rsc commented Sep 1, 2020

url.Parse is working correctly here: https://play.golang.org/p/0rVDegfUUIk.
You may not realize that two leading slashes mark a protocol-relative URL.
The parse error happens because %2f is not a valid host name,
in contrast to "x" and "" (an omitted host name).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants
You can’t perform that action at this time.