Skip to content
This repository was archived by the owner on Dec 7, 2020. It is now read-only.

Normalize URL #202

Merged
merged 1 commit into from
Mar 22, 2017
Merged

Normalize URL #202

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@

#### **2.0.5 (unreleased)**

FIXES:
* We normalize all urls before the protection middleware is applied [#PR202](https://github.com/gambol99/keycloak-proxy/pull/202)

#### **2.0.4**

FIXES:
Expand Down
52 changes: 29 additions & 23 deletions Godeps/Godeps.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 3 additions & 0 deletions forwarding.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,9 @@ import (
// reverseProxyMiddleware is responsible for handles reverse proxy request to the upstream endpoint
func (r *oauthProxy) reverseProxyMiddleware() gin.HandlerFunc {
return func(cx *gin.Context) {
// step: continue the flow
cx.Next()
// step: check its cool to continue
if cx.IsAborted() {
return
}
Expand Down
4 changes: 2 additions & 2 deletions handlers_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -262,8 +262,8 @@ func TestAuthorizationURL(t *testing.T) {
ExpectedCode: http.StatusTemporaryRedirect,
},
{
URL: "/admin/../",
ExpectedURL: "/oauth/authorize?state=L2FkbWluLy4uLw==",
URL: "/help/../admin",
ExpectedURL: "/oauth/authorize?state=L2FkbWlu",
ExpectedCode: http.StatusTemporaryRedirect,
},
{
Expand Down
22 changes: 11 additions & 11 deletions middleware.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,12 +16,12 @@ limitations under the License.
package main

import (
"bytes"
"fmt"
"regexp"
"strings"
"time"

"github.com/PuerkitoBio/purell"
log "github.com/Sirupsen/logrus"
"github.com/coreos/go-oidc/jose"
"github.com/gin-gonic/gin"
Expand All @@ -34,19 +34,19 @@ const (
cxEnforce = "Enforcing"
)

const normalizeFlags purell.NormalizationFlags = purell.FlagRemoveDotSegments | purell.FlagRemoveDuplicateSlashes

// filterMiddleware is custom filtering for incoming requests
func (r *oauthProxy) filterMiddleware() gin.HandlerFunc {
return func(cx *gin.Context) {
var p rune
var b bytes.Buffer
for _, c := range cx.Request.URL.Path {
if c == '/' && p == '/' {
continue
}
p = c
b.WriteRune(c)
}
cx.Request.URL.Path = b.String()
// step: keep a copy of the original
orig := cx.Request.URL.Path
// step: normalize the url
purell.NormalizeURL(cx.Request.URL, normalizeFlags)
// step: continue the flow
cx.Next()
// step: place back the original
cx.Request.URL.Path = orig
}
}

Expand Down
Loading