Decode user and password from env configured proxy #5
Conversation
leipert
force-pushed
the
leipert-add-decoding-to-proxy-env
branch
2 times, most recently
from
aab98eb
to
8e3fcf0
Compare
leipert
force-pushed
the
leipert-add-decoding-to-proxy-env
branch
2 times, most recently
from
18ea109
to
a698159
Compare
|
Switched to using https://gitlab.com/gitlab-org/gitlab/-/merge_requests/52368#note_500425249 |
|
@hsbt / @nobu Could either of you review this contribution? Thank you in advance 🙇 Have also created this issue in the bug tracker: https://bugs.ruby-lang.org/issues/17542 |
lib/net/http.rb
Outdated
| @@ -1180,7 +1180,8 @@ def proxy_port | |||
| # The username of the proxy server, if one is configured. | |||
| def proxy_user | |||
| if ENVIRONMENT_VARIABLE_IS_MULTIUSER_SAFE && @proxy_from_env | |||
| proxy_uri&.user | |||
| user = proxy_uri&.user | |||
| CGI.unescape(user) unless user.nil? | |||
There was a problem hiding this comment.
As cgi.rb isn't required here, it results in uninitialized constant Net::HTTP::CGI error.
There was a problem hiding this comment.
And why unless user.nil? instead of if user?
There was a problem hiding this comment.
@nobu Thanks for the review, changed it to if user and if pass respectively and added a require 'cgi' at the top.
There was a problem hiding this comment.
Maybe require "cgi/escape" is enough?
There was a problem hiding this comment.
Wouldn't it be require "cgi/util" though? And what is the difference between CGI::unescape and CGI.unescape
There was a problem hiding this comment.
Changed it to require "cgi/util". Hope that is alright.
There was a problem hiding this comment.
As for method calls, :: and . are equivalent.
. seems preferred in these days though.
And, as CGI is used only when proxy env is given, it can be deferred to that cases only.
There was a problem hiding this comment.
Thank you @nobu. I don't understand the following aspect completely:
And, as CGI is used only when proxy env is given, it can be deferred to that cases only.
I don't know how the Ruby dependency loading works exactly (I was wondering that the tests didn't catch uninitialized constant Net::HTTP::CGI) you described in the first place.
Should I use autoload for the CGI module (autoload :CGI, 'cgi/util'), or should I potentially require it someplace else, for example in one of those places:
There was a problem hiding this comment.
@nobu Moved back to the . syntax and moved the require to the conditionals.
leipert
force-pushed
the
leipert-add-decoding-to-proxy-env
branch
4 times, most recently
from
c6899e4
to
5b57481
Compare
lib/net/http.rb
Outdated
| user = proxy_uri&.user | ||
| CGI::unescape(user) if user |
There was a problem hiding this comment.
Related to #5 (comment), I think they are referring to move the require 'cgi/util' L24 inside the conditions:
| user = proxy_uri&.user | |
| CGI::unescape(user) if user | |
| user = proxy_uri&.user | |
| if user | |
| require 'cgi/util' | |
| CGI::unescape(user) | |
| end |
There was a problem hiding this comment.
An alternative to this is to extract a private method and re-use it in both places:
unescape(user) if user
private
def unescape(string)
require 'cgi/util'
CGI::unescape(string)
endThere was a problem hiding this comment.
Related to #5 (comment), I think they are referring to move the
require 'cgi/util'L24 inside the conditions:
I agree on this.
leipert
force-pushed
the
leipert-add-decoding-to-proxy-env
branch
2 times, most recently
from
622e321
to
5d9ee8e
Compare
If someone sets an env variable defining a http_proxy, containing a
username / password with percent-encoded characters, then the resulting
base64 encoded auth header will be wrong.
For example, suppose a username is `Y\X` and the password is `R%S] ?X`.
Properly URL encoded the proxy url would be:
http://Y%5CX:R%25S%5D%20%3FX@proxy.example:8000
The resulting proxy auth header should be: `WVxYOlIlU10gP1g=`, but the
getters defined by ruby StdLib `URI` return a username `Y%5CX` and
password `R%25S%5D%20%3FX`, resulting in `WSU1Q1g6UiUyNVMlNUQlMjAlM0ZY`.
As a result the proxy will deny the request.
Please note that this is my first contribution to the ruby ecosystem, to
standard lib especially and I am not a ruby developer.
References:
- https://gitlab.com/gitlab-org/gitlab/-/issues/289836
- https://bugs.ruby-lang.org/projects/ruby-master/repository/trunk/revisions/58461
- https://bugs.ruby-lang.org/issues/17542
leipert
force-pushed
the
leipert-add-decoding-to-proxy-env
branch
from
5d9ee8e
to
a3b1b67
Compare
|
Thank you @nobu / @mame / @jeremyevans / @arturoherrero! 👍 |
If someone sets an env variable defining a http_proxy, containing a
username / password with percent-encoded characters, then the resulting
base64 encoded auth header will be wrong.
For example, suppose a username is
Y\Xand the password isR%S] ?X.Properly URL encoded the proxy url would be:
The resulting proxy auth header should be:
WVxYOlIlU10gP1g=, but thegetters defined by ruby StdLib
URIreturn a usernameY%5CXandpassword
R%25S%5D%20%3FX, resulting inWSU1Q1g6UiUyNVMlNUQlMjAlM0ZY.As a result the proxy will deny the request.
Please note that this is my first contribution to the ruby ecosystem, to
standard lib especially and I am not a ruby developer.
Sorry for that and a happy and healthy 2021!
References: