Skip to content
This repository was archived by the owner on Dec 7, 2020. It is now read-only.

Commit e6c98bc

Browse files
gambol99gambol99
committed
Normalize URL
- normal the url before we apply the protection middleware against it - adding additional unit tests - adding the extra dependencies - updated the CHANGELOG for later release
1 parent a67c80a commit e6c98bc

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

66 files changed

+15036
-4933
lines changed

CHANGELOG.md

+5
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,9 @@
11

2+
#### **2.0.5 (unreleased)**
3+
4+
FIXES:
5+
* We normalize all urls before the protection middleware is applied [#PR202](https://github.com/gambol99/keycloak-proxy/pull/202)
6+
27
#### **2.0.4**
38

49
FIXES:

Godeps/Godeps.json

+29-23
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

forwarding.go

+3
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,9 @@ import (
2929
// reverseProxyMiddleware is responsible for handles reverse proxy request to the upstream endpoint
3030
func (r *oauthProxy) reverseProxyMiddleware() gin.HandlerFunc {
3131
return func(cx *gin.Context) {
32+
// step: continue the flow
33+
cx.Next()
34+
// step: check its cool to continue
3235
if cx.IsAborted() {
3336
return
3437
}

handlers_test.go

+2-2
Original file line numberDiff line numberDiff line change
@@ -262,8 +262,8 @@ func TestAuthorizationURL(t *testing.T) {
262262
ExpectedCode: http.StatusTemporaryRedirect,
263263
},
264264
{
265-
URL: "/admin/../",
266-
ExpectedURL: "/oauth/authorize?state=L2FkbWluLy4uLw==",
265+
URL: "/help/../admin",
266+
ExpectedURL: "/oauth/authorize?state=L2FkbWlu",
267267
ExpectedCode: http.StatusTemporaryRedirect,
268268
},
269269
{

middleware.go

+11-11
Original file line numberDiff line numberDiff line change
@@ -16,12 +16,12 @@ limitations under the License.
1616
package main
1717

1818
import (
19-
"bytes"
2019
"fmt"
2120
"regexp"
2221
"strings"
2322
"time"
2423

24+
"github.com/PuerkitoBio/purell"
2525
log "github.com/Sirupsen/logrus"
2626
"github.com/coreos/go-oidc/jose"
2727
"github.com/gin-gonic/gin"
@@ -34,19 +34,19 @@ const (
3434
cxEnforce = "Enforcing"
3535
)
3636

37+
const normalizeFlags purell.NormalizationFlags = purell.FlagRemoveDotSegments | purell.FlagRemoveDuplicateSlashes
38+
3739
// filterMiddleware is custom filtering for incoming requests
3840
func (r *oauthProxy) filterMiddleware() gin.HandlerFunc {
3941
return func(cx *gin.Context) {
40-
var p rune
41-
var b bytes.Buffer
42-
for _, c := range cx.Request.URL.Path {
43-
if c == '/' && p == '/' {
44-
continue
45-
}
46-
p = c
47-
b.WriteRune(c)
48-
}
49-
cx.Request.URL.Path = b.String()
42+
// step: keep a copy of the original
43+
orig := cx.Request.URL.Path
44+
// step: normalize the url
45+
purell.NormalizeURL(cx.Request.URL, normalizeFlags)
46+
// step: continue the flow
47+
cx.Next()
48+
// step: place back the original
49+
cx.Request.URL.Path = orig
5050
}
5151
}
5252

0 commit comments

Comments
 (0)