Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-pages.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGrzegorz Bizon <grzesiek.bizon@gmail.com>2019-11-28 18:23:57 +0300
committerGrzegorz Bizon <grzesiek.bizon@gmail.com>2019-11-28 18:23:57 +0300
commitbd16d63cd84f28c3992f45eef9b57c93b3cc572b (patch)
tree9240d070f4c5d5b0ac9485720cbcaca7a2c8ee2a
parent738d560e79d3488277fa1355a5df4484c32a251c (diff)
Sanitize pages URL before calculating lookup path
-rw-r--r--internal/source/gitlab/gitlab.go9
-rw-r--r--internal/source/gitlab/gitlab_test.go13
2 files changed, 18 insertions, 4 deletions
diff --git a/internal/source/gitlab/gitlab.go b/internal/source/gitlab/gitlab.go
index 4abfe225..7df07f9c 100644
--- a/internal/source/gitlab/gitlab.go
+++ b/internal/source/gitlab/gitlab.go
@@ -3,6 +3,7 @@ package gitlab
import (
"errors"
"net/http"
+ "path"
"strings"
"gitlab.com/gitlab-org/gitlab-pages/internal/domain"
@@ -54,7 +55,9 @@ func (g *Gitlab) Resolve(r *http.Request) (*serving.LookupPath, string, error) {
}
for _, lookup := range response.LookupPaths {
- if strings.Contains(r.URL.Path, lookup.Prefix) {
+ urlPath := path.Clean(r.URL.Path)
+
+ if strings.HasPrefix(urlPath, lookup.Prefix) {
lookupPath := &serving.LookupPath{
Prefix: lookup.Prefix,
Path: strings.TrimPrefix(lookup.Source.Path, "/"),
@@ -64,9 +67,9 @@ func (g *Gitlab) Resolve(r *http.Request) (*serving.LookupPath, string, error) {
ProjectID: uint64(lookup.ProjectID),
}
- requestPath := strings.TrimPrefix(r.URL.Path, lookup.Prefix)
+ requestPath := strings.TrimPrefix(urlPath, lookup.Prefix)
- return lookupPath, requestPath, nil
+ return lookupPath, strings.TrimPrefix(requestPath, "/"), nil
}
}
diff --git a/internal/source/gitlab/gitlab_test.go b/internal/source/gitlab/gitlab_test.go
index 8dd3cc5f..affb1694 100644
--- a/internal/source/gitlab/gitlab_test.go
+++ b/internal/source/gitlab/gitlab_test.go
@@ -45,7 +45,7 @@ func TestResolve(t *testing.T) {
require.NoError(t, err)
assert.Equal(t, "/my/pages/project", lookup.Prefix)
- assert.Equal(t, "/path/index.html", subpath)
+ assert.Equal(t, "path/index.html", subpath)
assert.False(t, lookup.IsNamespaceProject)
})
@@ -61,4 +61,15 @@ func TestResolve(t *testing.T) {
assert.Equal(t, "some/path/to/project-3/", lookup.Path)
assert.True(t, lookup.IsNamespaceProject)
})
+
+ t.Run("when request path has not been sanitized", func(t *testing.T) {
+ target := "https://test.gitlab.io:443/something/../something/../my/pages/project/index.html"
+ request := httptest.NewRequest("GET", target, nil)
+
+ lookup, subpath, err := source.Resolve(request)
+ require.NoError(t, err)
+
+ assert.Equal(t, "/my/pages/project", lookup.Prefix)
+ assert.Equal(t, "index.html", subpath)
+ })
}