diff options
author | Grzegorz Bizon <grzesiek.bizon@gmail.com> | 2019-11-28 18:23:57 +0300 |
---|---|---|
committer | Grzegorz Bizon <grzesiek.bizon@gmail.com> | 2019-11-28 18:23:57 +0300 |
commit | bd16d63cd84f28c3992f45eef9b57c93b3cc572b (patch) | |
tree | 9240d070f4c5d5b0ac9485720cbcaca7a2c8ee2a | |
parent | 738d560e79d3488277fa1355a5df4484c32a251c (diff) |
Sanitize pages URL before calculating lookup path
-rw-r--r-- | internal/source/gitlab/gitlab.go | 9 | ||||
-rw-r--r-- | internal/source/gitlab/gitlab_test.go | 13 |
2 files changed, 18 insertions, 4 deletions
diff --git a/internal/source/gitlab/gitlab.go b/internal/source/gitlab/gitlab.go index 4abfe225..7df07f9c 100644 --- a/internal/source/gitlab/gitlab.go +++ b/internal/source/gitlab/gitlab.go @@ -3,6 +3,7 @@ package gitlab import ( "errors" "net/http" + "path" "strings" "gitlab.com/gitlab-org/gitlab-pages/internal/domain" @@ -54,7 +55,9 @@ func (g *Gitlab) Resolve(r *http.Request) (*serving.LookupPath, string, error) { } for _, lookup := range response.LookupPaths { - if strings.Contains(r.URL.Path, lookup.Prefix) { + urlPath := path.Clean(r.URL.Path) + + if strings.HasPrefix(urlPath, lookup.Prefix) { lookupPath := &serving.LookupPath{ Prefix: lookup.Prefix, Path: strings.TrimPrefix(lookup.Source.Path, "/"), @@ -64,9 +67,9 @@ func (g *Gitlab) Resolve(r *http.Request) (*serving.LookupPath, string, error) { ProjectID: uint64(lookup.ProjectID), } - requestPath := strings.TrimPrefix(r.URL.Path, lookup.Prefix) + requestPath := strings.TrimPrefix(urlPath, lookup.Prefix) - return lookupPath, requestPath, nil + return lookupPath, strings.TrimPrefix(requestPath, "/"), nil } } diff --git a/internal/source/gitlab/gitlab_test.go b/internal/source/gitlab/gitlab_test.go index 8dd3cc5f..affb1694 100644 --- a/internal/source/gitlab/gitlab_test.go +++ b/internal/source/gitlab/gitlab_test.go @@ -45,7 +45,7 @@ func TestResolve(t *testing.T) { require.NoError(t, err) assert.Equal(t, "/my/pages/project", lookup.Prefix) - assert.Equal(t, "/path/index.html", subpath) + assert.Equal(t, "path/index.html", subpath) assert.False(t, lookup.IsNamespaceProject) }) @@ -61,4 +61,15 @@ func TestResolve(t *testing.T) { assert.Equal(t, "some/path/to/project-3/", lookup.Path) assert.True(t, lookup.IsNamespaceProject) }) + + t.Run("when request path has not been sanitized", func(t *testing.T) { + target := "https://test.gitlab.io:443/something/../something/../my/pages/project/index.html" + request := httptest.NewRequest("GET", target, nil) + + lookup, subpath, err := source.Resolve(request) + require.NoError(t, err) + + assert.Equal(t, "/my/pages/project", lookup.Prefix) + assert.Equal(t, "index.html", subpath) + }) } |