Canonicalize all proxito slashes #8028

ericholscher · 2021-03-17T21:42:48Z

This is currently broken,
eg. this URL works:
https://docs.readthedocs.io/en/latest///index.html

This is currently broken, eg. this URL works: https://docs.readthedocs.io/en/latest///index.html

humitos

Looks good to me! I just made a comment about the re module.

humitos · 2021-03-18T10:07:47Z

readthedocs/proxito/middleware.py

@@ -173,6 +174,10 @@ def process_request(self, request):  # noqa
        if hasattr(ret, 'status_code'):
            return ret

+        if '//' in request.path:
+            # Remove multiple slashes from URL's
+            return redirect(re.sub('//+', '/', request.get_full_path()))


Just wanted to mention that may be better to use regex module if we are applying the regex on user's input. IIRC, there was some security/performance in the re module that are not present in regex.

regex is dangerous when the pattern is arbitrary (ReDOS), here the matching is the one that is arbitrary, so all good.

Yea, this regex is super simple, so I don't think it should be an issue.

humitos · 2021-03-18T10:08:14Z

readthedocs/proxito/tests/test_redirects.py

+    def test_slash_redirect(self):
+        host = 'project.dev.readthedocs.io'
+
+        url = '/en/latest////awesome.html'


I suppose it will work the same way, but we could add a test with trailing slashes.

/en/latest/awesome.html/// should give 404

'/en/latest//// should work

We aren't doing any 404 checking here, it will always return a 302 for any path in /, since that's happening before any checking of the code. I added a test checking the // at the end tho.

stsewd · 2021-03-18T14:35:48Z

readthedocs/proxito/middleware.py

+            url_parsed = urlparse(request.get_full_path())
+            clean_path = re.sub('//+', '/', url_parsed.path)
+            new_parsed = url_parsed._replace(path=clean_path)
+            return redirect(urlunparse(new_parsed))


think you can use new_parsed.geturl()

We're using it the same way in other places in the code, so I'll keep it for now. We can update it all later.

Hrm seems like that is a special case, and we're using geturl() too. Will update 👍

Canonicalize all proxito slashes

4043a0a

This is currently broken, eg. this URL works: https://docs.readthedocs.io/en/latest///index.html

ericholscher requested a review from a team March 17, 2021 21:43

stsewd approved these changes Mar 17, 2021

View reviewed changes

humitos approved these changes Mar 18, 2021

View reviewed changes

Only parse the path not the params

96e7393

stsewd reviewed Mar 18, 2021

View reviewed changes

Use geturl() instead of urlunparse

11b114c

ericholscher enabled auto-merge (squash) March 18, 2021 14:43

ericholscher merged commit 0b3d41b into master Mar 18, 2021
3 checks passed

ericholscher deleted the proxito-slash-normalization branch March 18, 2021 14:50

Canonicalize all proxito slashes #8028

Canonicalize all proxito slashes #8028

ericholscher commented Mar 17, 2021

humitos left a comment

humitos Mar 18, 2021

stsewd Mar 18, 2021

ericholscher Mar 18, 2021

humitos Mar 18, 2021

ericholscher Mar 18, 2021

stsewd Mar 18, 2021

ericholscher Mar 18, 2021

ericholscher Mar 18, 2021

Canonicalize all proxito slashes #8028

Canonicalize all proxito slashes #8028

Conversation

ericholscher commented Mar 17, 2021

humitos left a comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment