Support sanitising the URL by removing extra slashes in the URL (#21333)
Changes in this PR : Strips incoming request URL of additional slashes (/). For example an input like `https://git.data.coop//halfd/new-website.git` is translated to `https://git.data.coop/halfd/new-website.git` Fixes https://github.com/go-gitea/gitea/issues/20462 Fix #23242 --------- Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: Jason Song <i@wolfogre.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
This commit is contained in:
parent
188c8c12c2
commit
547c173dab
2 changed files with 103 additions and 2 deletions
|
@ -16,7 +16,7 @@ import (
|
||||||
"code.gitea.io/gitea/modules/web/routing"
|
"code.gitea.io/gitea/modules/web/routing"
|
||||||
|
|
||||||
"github.com/chi-middleware/proxy"
|
"github.com/chi-middleware/proxy"
|
||||||
"github.com/go-chi/chi/v5/middleware"
|
chi "github.com/go-chi/chi/v5"
|
||||||
)
|
)
|
||||||
|
|
||||||
// Middlewares returns common middlewares
|
// Middlewares returns common middlewares
|
||||||
|
@ -48,7 +48,8 @@ func Middlewares() []func(http.Handler) http.Handler {
|
||||||
handlers = append(handlers, proxy.ForwardedHeaders(opt))
|
handlers = append(handlers, proxy.ForwardedHeaders(opt))
|
||||||
}
|
}
|
||||||
|
|
||||||
handlers = append(handlers, middleware.StripSlashes)
|
// Strip slashes.
|
||||||
|
handlers = append(handlers, stripSlashesMiddleware)
|
||||||
|
|
||||||
if !setting.Log.DisableRouterLog {
|
if !setting.Log.DisableRouterLog {
|
||||||
handlers = append(handlers, routing.NewLoggerHandler())
|
handlers = append(handlers, routing.NewLoggerHandler())
|
||||||
|
@ -81,3 +82,33 @@ func Middlewares() []func(http.Handler) http.Handler {
|
||||||
})
|
})
|
||||||
return handlers
|
return handlers
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func stripSlashesMiddleware(next http.Handler) http.Handler {
|
||||||
|
return http.HandlerFunc(func(resp http.ResponseWriter, req *http.Request) {
|
||||||
|
var urlPath string
|
||||||
|
rctx := chi.RouteContext(req.Context())
|
||||||
|
if rctx != nil && rctx.RoutePath != "" {
|
||||||
|
urlPath = rctx.RoutePath
|
||||||
|
} else if req.URL.RawPath != "" {
|
||||||
|
urlPath = req.URL.RawPath
|
||||||
|
} else {
|
||||||
|
urlPath = req.URL.Path
|
||||||
|
}
|
||||||
|
|
||||||
|
sanitizedPath := &strings.Builder{}
|
||||||
|
prevWasSlash := false
|
||||||
|
for _, chr := range strings.TrimRight(urlPath, "/") {
|
||||||
|
if chr != '/' || !prevWasSlash {
|
||||||
|
sanitizedPath.WriteRune(chr)
|
||||||
|
}
|
||||||
|
prevWasSlash = chr == '/'
|
||||||
|
}
|
||||||
|
|
||||||
|
if rctx == nil {
|
||||||
|
req.URL.Path = sanitizedPath.String()
|
||||||
|
} else {
|
||||||
|
rctx.RoutePath = sanitizedPath.String()
|
||||||
|
}
|
||||||
|
next.ServeHTTP(resp, req)
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
70
routers/common/middleware_test.go
Normal file
70
routers/common/middleware_test.go
Normal file
|
@ -0,0 +1,70 @@
|
||||||
|
// Copyright 2022 The Gitea Authors. All rights reserved.
|
||||||
|
// SPDX-License-Identifier: MIT
|
||||||
|
package common
|
||||||
|
|
||||||
|
import (
|
||||||
|
"net/http"
|
||||||
|
"net/http/httptest"
|
||||||
|
"testing"
|
||||||
|
|
||||||
|
"github.com/stretchr/testify/assert"
|
||||||
|
)
|
||||||
|
|
||||||
|
func TestStripSlashesMiddleware(t *testing.T) {
|
||||||
|
type test struct {
|
||||||
|
name string
|
||||||
|
expectedPath string
|
||||||
|
inputPath string
|
||||||
|
}
|
||||||
|
|
||||||
|
tests := []test{
|
||||||
|
{
|
||||||
|
name: "path with multiple slashes",
|
||||||
|
inputPath: "https://github.com///go-gitea//gitea.git",
|
||||||
|
expectedPath: "/go-gitea/gitea.git",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "path with no slashes",
|
||||||
|
inputPath: "https://github.com/go-gitea/gitea.git",
|
||||||
|
expectedPath: "/go-gitea/gitea.git",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "path with slashes in the middle",
|
||||||
|
inputPath: "https://git.data.coop//halfd/new-website.git",
|
||||||
|
expectedPath: "/halfd/new-website.git",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "path with slashes in the middle",
|
||||||
|
inputPath: "https://git.data.coop//halfd/new-website.git",
|
||||||
|
expectedPath: "/halfd/new-website.git",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "path with slashes in the end",
|
||||||
|
inputPath: "/user2//repo1/",
|
||||||
|
expectedPath: "/user2/repo1",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "path with slashes and query params",
|
||||||
|
inputPath: "/repo//migrate?service_type=3",
|
||||||
|
expectedPath: "/repo/migrate",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "path with encoded slash",
|
||||||
|
inputPath: "/user2/%2F%2Frepo1",
|
||||||
|
expectedPath: "/user2/%2F%2Frepo1",
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, tt := range tests {
|
||||||
|
testMiddleware := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||||
|
assert.Equal(t, tt.expectedPath, r.URL.Path)
|
||||||
|
})
|
||||||
|
|
||||||
|
// pass the test middleware to validate the changes
|
||||||
|
handlerToTest := stripSlashesMiddleware(testMiddleware)
|
||||||
|
// create a mock request to use
|
||||||
|
req := httptest.NewRequest("GET", tt.inputPath, nil)
|
||||||
|
// call the handler using a mock response recorder
|
||||||
|
handlerToTest.ServeHTTP(httptest.NewRecorder(), req)
|
||||||
|
}
|
||||||
|
}
|
Loading…
Reference in a new issue