diff options
author | Nick Thomas <nick@gitlab.com> | 2018-01-31 22:42:08 +0300 |
---|---|---|
committer | Nick Thomas <nick@gitlab.com> | 2018-02-19 17:29:12 +0300 |
commit | fbf87a29cf31ade0244f8d98729dda89c29a464c (patch) | |
tree | 2de796422f73ae2e3cee387017b014cd045575fc /domain_test.go | |
parent | a57de7adc1288ceafb3e6dcd50a3f0be1cec0028 (diff) |
Serve a secure redirect in case of accessing /foo
When a request's path resolved to a directory on disk and lacked a trailing
slash character, we issue a 302 Found redirect to the request's path, plus the
missing trailing slash. However, some request paths are valid absolute URIs
(particularly protocol-neutral //example.com URIs), so this was an open redirect
vulnerability.
This problem is avoided by generating a URI from the actual location of a file
that we want to present.
There were also numerous potential bypasses of other security checks for
inferred index.html files and custom error pages; this commit closes these
holes at the same time by recursively running the checks if necessary.
Diffstat (limited to 'domain_test.go')
-rw-r--r-- | domain_test.go | 25 |
1 files changed, 18 insertions, 7 deletions
diff --git a/domain_test.go b/domain_test.go index e1d5154f..26be21eb 100644 --- a/domain_test.go +++ b/domain_test.go @@ -24,18 +24,24 @@ func TestGroupServeHTTP(t *testing.T) { assert.HTTPBodyContains(t, testGroup.ServeHTTP, "GET", "http://group.test.io/", nil, "main-dir") assert.HTTPBodyContains(t, testGroup.ServeHTTP, "GET", "http://group.test.io/index.html", nil, "main-dir") - assert.True(t, assert.HTTPRedirect(t, testGroup.ServeHTTP, "GET", "http://group.test.io/project", nil)) + assert.HTTPRedirect(t, testGroup.ServeHTTP, "GET", "http://group.test.io/project", nil) + assert.HTTPBodyContains(t, testGroup.ServeHTTP, "GET", "http://group.test.io/project", nil, + `<a href="//group.test.io/project/">Found</a>`) assert.HTTPBodyContains(t, testGroup.ServeHTTP, "GET", "http://group.test.io/project/", nil, "project-subdir") assert.HTTPBodyContains(t, testGroup.ServeHTTP, "GET", "http://group.test.io/project/index.html", nil, "project-subdir") - assert.True(t, assert.HTTPRedirect(t, testGroup.ServeHTTP, "GET", "http://group.test.io/project/subdir", nil)) + assert.HTTPRedirect(t, testGroup.ServeHTTP, "GET", "http://group.test.io/project/subdir", nil) + assert.HTTPBodyContains(t, testGroup.ServeHTTP, "GET", "http://group.test.io/project/subdir", nil, + `<a href="//group.test.io/project/subdir/">Found</a>`) assert.HTTPBodyContains(t, testGroup.ServeHTTP, "GET", "http://group.test.io/project/subdir/", nil, "project-subsubdir") assert.HTTPBodyContains(t, testGroup.ServeHTTP, "GET", "http://group.test.io/project2/", nil, "project2-main") assert.HTTPBodyContains(t, testGroup.ServeHTTP, "GET", "http://group.test.io/project2/index.html", nil, "project2-main") - assert.True(t, assert.HTTPError(t, testGroup.ServeHTTP, "GET", "http://group.test.io/symlink", nil)) - assert.True(t, assert.HTTPError(t, testGroup.ServeHTTP, "GET", "http://group.test.io/symlink/index.html", nil)) - assert.True(t, assert.HTTPError(t, testGroup.ServeHTTP, "GET", "http://group.test.io/symlink/subdir/", nil)) - assert.True(t, assert.HTTPError(t, testGroup.ServeHTTP, "GET", "http://group.test.io/project/fifo", nil)) - assert.True(t, assert.HTTPError(t, testGroup.ServeHTTP, "GET", "http://group.test.io/not-existing-file", nil)) + assert.HTTPError(t, testGroup.ServeHTTP, "GET", "http://group.test.io//about.gitlab.com/%2e%2e", nil) + assert.HTTPError(t, testGroup.ServeHTTP, "GET", "http://group.test.io/symlink", nil) + assert.HTTPError(t, testGroup.ServeHTTP, "GET", "http://group.test.io/symlink/index.html", nil) + assert.HTTPError(t, testGroup.ServeHTTP, "GET", "http://group.test.io/symlink/subdir/", nil) + assert.HTTPError(t, testGroup.ServeHTTP, "GET", "http://group.test.io/project/fifo", nil) + assert.HTTPError(t, testGroup.ServeHTTP, "GET", "http://group.test.io/not-existing-file", nil) + assert.HTTPError(t, testGroup.ServeHTTP, "GET", "http://group.test.io/project//about.gitlab.com/%2e%2e", nil) } func TestDomainServeHTTP(t *testing.T) { @@ -49,9 +55,14 @@ func TestDomainServeHTTP(t *testing.T) { }, } + assert.HTTPBodyContains(t, testDomain.ServeHTTP, "GET", "/", nil, "project2-main") assert.HTTPBodyContains(t, testDomain.ServeHTTP, "GET", "/index.html", nil, "project2-main") assert.HTTPRedirect(t, testDomain.ServeHTTP, "GET", "/subdir", nil) + assert.HTTPBodyContains(t, testDomain.ServeHTTP, "GET", "/subdir", nil, + `<a href="/subdir/">Found</a>`) assert.HTTPBodyContains(t, testDomain.ServeHTTP, "GET", "/subdir/", nil, "project2-subdir") + assert.HTTPBodyContains(t, testDomain.ServeHTTP, "GET", "/subdir/index.html", nil, "project2-subdir") + assert.HTTPError(t, testDomain.ServeHTTP, "GET", "//about.gitlab.com/%2e%2e", nil) assert.HTTPError(t, testDomain.ServeHTTP, "GET", "/not-existing-file", nil) } |