Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-pages.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/domain_test.go
diff options
context:
space:
mode:
authorNick Thomas <nick@gitlab.com>2018-01-31 22:42:08 +0300
committerNick Thomas <nick@gitlab.com>2018-02-19 17:29:12 +0300
commitfbf87a29cf31ade0244f8d98729dda89c29a464c (patch)
tree2de796422f73ae2e3cee387017b014cd045575fc /domain_test.go
parenta57de7adc1288ceafb3e6dcd50a3f0be1cec0028 (diff)
Serve a secure redirect in case of accessing /foo
When a request's path resolved to a directory on disk and lacked a trailing slash character, we issue a 302 Found redirect to the request's path, plus the missing trailing slash. However, some request paths are valid absolute URIs (particularly protocol-neutral //example.com URIs), so this was an open redirect vulnerability. This problem is avoided by generating a URI from the actual location of a file that we want to present. There were also numerous potential bypasses of other security checks for inferred index.html files and custom error pages; this commit closes these holes at the same time by recursively running the checks if necessary.
Diffstat (limited to 'domain_test.go')
-rw-r--r--domain_test.go25
1 files changed, 18 insertions, 7 deletions
diff --git a/domain_test.go b/domain_test.go
index e1d5154f..26be21eb 100644
--- a/domain_test.go
+++ b/domain_test.go
@@ -24,18 +24,24 @@ func TestGroupServeHTTP(t *testing.T) {
assert.HTTPBodyContains(t, testGroup.ServeHTTP, "GET", "http://group.test.io/", nil, "main-dir")
assert.HTTPBodyContains(t, testGroup.ServeHTTP, "GET", "http://group.test.io/index.html", nil, "main-dir")
- assert.True(t, assert.HTTPRedirect(t, testGroup.ServeHTTP, "GET", "http://group.test.io/project", nil))
+ assert.HTTPRedirect(t, testGroup.ServeHTTP, "GET", "http://group.test.io/project", nil)
+ assert.HTTPBodyContains(t, testGroup.ServeHTTP, "GET", "http://group.test.io/project", nil,
+ `<a href="//group.test.io/project/">Found</a>`)
assert.HTTPBodyContains(t, testGroup.ServeHTTP, "GET", "http://group.test.io/project/", nil, "project-subdir")
assert.HTTPBodyContains(t, testGroup.ServeHTTP, "GET", "http://group.test.io/project/index.html", nil, "project-subdir")
- assert.True(t, assert.HTTPRedirect(t, testGroup.ServeHTTP, "GET", "http://group.test.io/project/subdir", nil))
+ assert.HTTPRedirect(t, testGroup.ServeHTTP, "GET", "http://group.test.io/project/subdir", nil)
+ assert.HTTPBodyContains(t, testGroup.ServeHTTP, "GET", "http://group.test.io/project/subdir", nil,
+ `<a href="//group.test.io/project/subdir/">Found</a>`)
assert.HTTPBodyContains(t, testGroup.ServeHTTP, "GET", "http://group.test.io/project/subdir/", nil, "project-subsubdir")
assert.HTTPBodyContains(t, testGroup.ServeHTTP, "GET", "http://group.test.io/project2/", nil, "project2-main")
assert.HTTPBodyContains(t, testGroup.ServeHTTP, "GET", "http://group.test.io/project2/index.html", nil, "project2-main")
- assert.True(t, assert.HTTPError(t, testGroup.ServeHTTP, "GET", "http://group.test.io/symlink", nil))
- assert.True(t, assert.HTTPError(t, testGroup.ServeHTTP, "GET", "http://group.test.io/symlink/index.html", nil))
- assert.True(t, assert.HTTPError(t, testGroup.ServeHTTP, "GET", "http://group.test.io/symlink/subdir/", nil))
- assert.True(t, assert.HTTPError(t, testGroup.ServeHTTP, "GET", "http://group.test.io/project/fifo", nil))
- assert.True(t, assert.HTTPError(t, testGroup.ServeHTTP, "GET", "http://group.test.io/not-existing-file", nil))
+ assert.HTTPError(t, testGroup.ServeHTTP, "GET", "http://group.test.io//about.gitlab.com/%2e%2e", nil)
+ assert.HTTPError(t, testGroup.ServeHTTP, "GET", "http://group.test.io/symlink", nil)
+ assert.HTTPError(t, testGroup.ServeHTTP, "GET", "http://group.test.io/symlink/index.html", nil)
+ assert.HTTPError(t, testGroup.ServeHTTP, "GET", "http://group.test.io/symlink/subdir/", nil)
+ assert.HTTPError(t, testGroup.ServeHTTP, "GET", "http://group.test.io/project/fifo", nil)
+ assert.HTTPError(t, testGroup.ServeHTTP, "GET", "http://group.test.io/not-existing-file", nil)
+ assert.HTTPError(t, testGroup.ServeHTTP, "GET", "http://group.test.io/project//about.gitlab.com/%2e%2e", nil)
}
func TestDomainServeHTTP(t *testing.T) {
@@ -49,9 +55,14 @@ func TestDomainServeHTTP(t *testing.T) {
},
}
+ assert.HTTPBodyContains(t, testDomain.ServeHTTP, "GET", "/", nil, "project2-main")
assert.HTTPBodyContains(t, testDomain.ServeHTTP, "GET", "/index.html", nil, "project2-main")
assert.HTTPRedirect(t, testDomain.ServeHTTP, "GET", "/subdir", nil)
+ assert.HTTPBodyContains(t, testDomain.ServeHTTP, "GET", "/subdir", nil,
+ `<a href="/subdir/">Found</a>`)
assert.HTTPBodyContains(t, testDomain.ServeHTTP, "GET", "/subdir/", nil, "project2-subdir")
+ assert.HTTPBodyContains(t, testDomain.ServeHTTP, "GET", "/subdir/index.html", nil, "project2-subdir")
+ assert.HTTPError(t, testDomain.ServeHTTP, "GET", "//about.gitlab.com/%2e%2e", nil)
assert.HTTPError(t, testDomain.ServeHTTP, "GET", "/not-existing-file", nil)
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-30 12:12:24 +0300