Skip to content

sso_*: proxy path-components with %-escaped characters in tact.#284

Merged
katzdm merged 2 commits intomasterfrom
no-escape-paths
Mar 8, 2020
Merged

sso_*: proxy path-components with %-escaped characters in tact.#284
katzdm merged 2 commits intomasterfrom
no-escape-paths

Conversation

@katzdm
Copy link
Contributor

@katzdm katzdm commented Mar 6, 2020

Problem

When proxying to a path with a %-encoded / character (i.e. %2F), the Golang http.ServeMux class auto-unwraps the %-encoding. It then uses path.Clean() to "helpfully" normalize successive / characters (e.g. /a/b//c to /a/b/c, /a/b/../c to /a, etc).

Though admittedly an edge-case, the unintended side-effect is that a URL whose path contains a %-encoded URL will be proxied incorrectly. Fo instance, the URL
https://example.com/path/http:%2F%2Ffoo.com/
will be proxied to
https://example.com/path/http:/foo.com/.

Solution

Replace use of http.ServeMux with the mux.Router class from the popular https://github.com/gorilla/mux library, which allows use of URL.EscapedPath() in lieu of directly reading URL.Path. This preserves the %-wrapping of path-components, which in turn prevents path.Clean() from errantly rewriting the path.

Notes

The motivating example derives from the popular open-source Jenkins project, which uses URLs in such a form to check the health of a reverse-proxy - Hence this bug causes a Jenkins instance behind an SSO deployment to report a "broken" reverse-proxy configuration.

@katzdm katzdm requested a review from jphines March 6, 2020 16:05
jphines
jphines suggested changes Mar 6, 2020
View reviewed changes
Copy link
Contributor

@jphines jphines left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good -- but I'd like to see a test added to the proxy side.

@katzdm katzdm force-pushed the no-escape-paths branch from 1083892 to de0300b Compare March 7, 2020 00:52
@codecov
Copy link

codecov bot commented Mar 7, 2020
edited
Loading

Codecov Report

Merging #284 into master will increase coverage by 0.00%.
The diff coverage is 100.00%.

Impacted file tree graph

@@           Coverage Diff           @@
##           master     #284   +/-   ##
=======================================
  Coverage   61.85%   61.85%           
=======================================
  Files          57       57           
  Lines        4637     4638    +1     
=======================================
+ Hits         2868     2869    +1     
  Misses       1556     1556           
  Partials      213      213

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update f070dc5...de0300b. Read the comment docs.

@katzdm
Copy link
Contributor Author

katzdm commented Mar 7, 2020

This looks good -- but I'd like to see a test added to the proxy side.

Great idea - Done; I've added one to oauthproxy_test.go.

@katzdm katzdm requested a review from jphines March 7, 2020 00:52
@katzdm katzdm merged commit 5b956e9 into master Mar 8, 2020
@katzdm katzdm deleted the no-escape-paths branch March 8, 2020 16:22
@Jusshersmith Jusshersmith changed the title Proxy path-components with %-escaped characters in tact. sso_*: Proxy path-components with %-escaped characters in tact. Jun 23, 2021
@Jusshersmith Jusshersmith changed the title sso_*: Proxy path-components with %-escaped characters in tact. sso_*: proxy path-components with %-escaped characters in tact. Jun 23, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@jphines jphines jphines approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@katzdm @jphines