diff options
author | Vladimir Shushlin <v.shushlin@gmail.com> | 2021-11-10 18:38:22 +0300 |
---|---|---|
committer | Vladimir Shushlin <v.shushlin@gmail.com> | 2021-11-11 11:42:42 +0300 |
commit | bf9c79a5477b61f375be659e2e16f377067d9c00 (patch) | |
tree | fbd7c2ceece4af9fc87e45c43679a725015e7588 /app.go | |
parent | aa897ce9849d35cd7ff1121351f1033e91d0c062 (diff) |
fix: reject requests with very long URIs
Some parts of the application may be vulnerable to very long URIs being passed.
E.g. Auth will try to save URI to session cookie, and it will fails, which will result in 500 error
Changelog: fixed
Diffstat (limited to 'app.go')
-rw-r--r-- | app.go | 7 |
1 files changed, 4 insertions, 3 deletions
@@ -39,6 +39,7 @@ import ( "gitlab.com/gitlab-org/gitlab-pages/internal/serving/disk/zip" "gitlab.com/gitlab-org/gitlab-pages/internal/source" "gitlab.com/gitlab-org/gitlab-pages/internal/source/gitlab" + "gitlab.com/gitlab-org/gitlab-pages/internal/urilimiter" "gitlab.com/gitlab-org/gitlab-pages/metrics" ) @@ -292,10 +293,10 @@ func (a *theApp) buildHandlerPipeline() (http.Handler, error) { handler = handlePanicMiddleware(handler) handler = correlation.InjectCorrelationID(handler, correlationOpts...) - // This MUST be the last handler! - // This handler blocks unknown HTTP methods, - // being the last means it will be evaluated first + // These middlewares MUST be added in the end. + // Being last means they will be evaluated first // preventing any operation on bogus requests. + handler = urilimiter.NewMiddleware(handler, a.config.General.MaxURILength) handler = rejectmethods.NewMiddleware(handler) return handler, nil |