diff options
author | Vladimir Shushlin <v.shushlin@gmail.com> | 2021-11-10 18:38:22 +0300 |
---|---|---|
committer | Vladimir Shushlin <v.shushlin@gmail.com> | 2021-11-11 11:42:42 +0300 |
commit | bf9c79a5477b61f375be659e2e16f377067d9c00 (patch) | |
tree | fbd7c2ceece4af9fc87e45c43679a725015e7588 /test | |
parent | aa897ce9849d35cd7ff1121351f1033e91d0c062 (diff) |
fix: reject requests with very long URIs
Some parts of the application may be vulnerable to very long URIs being passed.
E.g. Auth will try to save URI to session cookie, and it will fails, which will result in 500 error
Changelog: fixed
Diffstat (limited to 'test')
-rw-r--r-- | test/acceptance/urilimiter_test.go | 56 |
1 files changed, 56 insertions, 0 deletions
diff --git a/test/acceptance/urilimiter_test.go b/test/acceptance/urilimiter_test.go new file mode 100644 index 00000000..5e97921f --- /dev/null +++ b/test/acceptance/urilimiter_test.go @@ -0,0 +1,56 @@ +package acceptance_test + +import ( + "io" + "net/http" + "testing" + + "github.com/stretchr/testify/require" +) + +// TestURILimits proves fix for https://gitlab.com/gitlab-org/gitlab-pages/-/issues/659 +func TestURILimits(t *testing.T) { + tests := map[string]struct { + limit string + path string + expectedStatus int + }{ + "with_disabled_limit": { + limit: "0", + path: "project/", + expectedStatus: http.StatusOK, + }, + "with_limit_set_to_request_length": { + limit: "19", + path: "/project/index.html", + expectedStatus: http.StatusOK, + }, + "with_uri_length_exceeding_the_limit": { + limit: "19", + path: "/project/index1.html", + expectedStatus: http.StatusRequestURITooLong, + }, + } + + for tn, tt := range tests { + t.Run(tn, func(t *testing.T) { + RunPagesProcess(t, withListeners([]ListenSpec{httpsListener}), withExtraArgument("max-uri-length", tt.limit)) + + rsp, err := GetPageFromListener(t, httpsListener, "group.gitlab-example.com", tt.path) + require.NoError(t, err) + defer func() { + require.NoError(t, rsp.Body.Close()) + }() + + require.Equal(t, tt.expectedStatus, rsp.StatusCode) + + b, err := io.ReadAll(rsp.Body) + require.NoError(t, err) + if tt.expectedStatus == http.StatusOK { + require.Equal(t, "project-subdir\n", string(b)) + } else { + require.Contains(t, string(b), "Request URI Too Long") + } + }) + } +} |