Stowage/caddy
2
0
Fork 0
mirror of https://github.com/caddyserver/caddy.git synced 2025-10-31 13:21:08 +00:00
Code Issues Projects Releases Packages Wiki Activity
caddy/modules/caddyhttp/caddyhttp_test.go

206 lines
4.6 KiB
Go
Raw Normal View History

caddyhttp: Refactor and export SanitizedPathJoin for use in fastcgi (#4207)
2021-06-17 09:59:08 -06:00
package caddyhttp
import (
"net/url"
"path/filepath"
caddyhttp: Address some Go 1.20 features (#6252) Co-authored-by: Francis Lavoie <lavofr@gmail.com>
2024-04-23 20:05:57 -04:00
"runtime"
caddyhttp: Refactor and export SanitizedPathJoin for use in fastcgi (#4207)
2021-06-17 09:59:08 -06:00
"testing"
)
func TestSanitizedPathJoin(t *testing.T) {
// For reference:
// %2e = .
// %2f = /
// %5c = \
for i, tc := range []struct {
caddyhttp: Address some Go 1.20 features (#6252) Co-authored-by: Francis Lavoie <lavofr@gmail.com>
2024-04-23 20:05:57 -04:00
inputRoot string
inputPath string
expect string
expectWindows string
caddyhttp: Refactor and export SanitizedPathJoin for use in fastcgi (#4207)
2021-06-17 09:59:08 -06:00
}{
{
inputPath: "",
expect: ".",
},
{
inputPath: "/",
expect: ".",
},
caddyhttp: properly sanitize requests for root path (#6360) SanitizePathJoin protects against directory traversal attacks by checking for requests whose URL path look like they are trying to request something other than a local file, and returns the root directory in those cases. The method is also careful to ensure that requests which contain a trailing slash include a trailing slash in the returned value. However, for requests that contain only a slash (requests for the root path), the IsLocal check returns early before the matching trailing slash is re-added. This change updates SanitizePathJoin to only perform the filepath.IsLocal check if the cleaned request URL path is non-empty. --- This change also updates the existing SanitizePathJoin tests to use filepath.FromSlash rather than filepath.Join. This makes the expected value a little easier to read, but also has the advantage of not being processed by filepath.Clean like filepath.Join is. This means that the exact expect value will be compared, not the result of first cleaning it. Fixes #6352
2024-06-01 20:40:59 -07:00
{
// fileserver.MatchFile passes an inputPath of "//" for some try_files values.
// See https://github.com/caddyserver/caddy/issues/6352
inputPath: "//",
expect: filepath.FromSlash("./"),
},
caddyhttp: Refactor and export SanitizedPathJoin for use in fastcgi (#4207)
2021-06-17 09:59:08 -06:00
{
inputPath: "/foo",
expect: "foo",
},
{
inputPath: "/foo/",
caddyhttp: properly sanitize requests for root path (#6360) SanitizePathJoin protects against directory traversal attacks by checking for requests whose URL path look like they are trying to request something other than a local file, and returns the root directory in those cases. The method is also careful to ensure that requests which contain a trailing slash include a trailing slash in the returned value. However, for requests that contain only a slash (requests for the root path), the IsLocal check returns early before the matching trailing slash is re-added. This change updates SanitizePathJoin to only perform the filepath.IsLocal check if the cleaned request URL path is non-empty. --- This change also updates the existing SanitizePathJoin tests to use filepath.FromSlash rather than filepath.Join. This makes the expected value a little easier to read, but also has the advantage of not being processed by filepath.Clean like filepath.Join is. This means that the exact expect value will be compared, not the result of first cleaning it. Fixes #6352
2024-06-01 20:40:59 -07:00
expect: filepath.FromSlash("foo/"),
caddyhttp: Refactor and export SanitizedPathJoin for use in fastcgi (#4207)
2021-06-17 09:59:08 -06:00
},
{
inputPath: "/foo/bar",
caddyhttp: properly sanitize requests for root path (#6360) SanitizePathJoin protects against directory traversal attacks by checking for requests whose URL path look like they are trying to request something other than a local file, and returns the root directory in those cases. The method is also careful to ensure that requests which contain a trailing slash include a trailing slash in the returned value. However, for requests that contain only a slash (requests for the root path), the IsLocal check returns early before the matching trailing slash is re-added. This change updates SanitizePathJoin to only perform the filepath.IsLocal check if the cleaned request URL path is non-empty. --- This change also updates the existing SanitizePathJoin tests to use filepath.FromSlash rather than filepath.Join. This makes the expected value a little easier to read, but also has the advantage of not being processed by filepath.Clean like filepath.Join is. This means that the exact expect value will be compared, not the result of first cleaning it. Fixes #6352
2024-06-01 20:40:59 -07:00
expect: filepath.FromSlash("foo/bar"),
caddyhttp: Refactor and export SanitizedPathJoin for use in fastcgi (#4207)
2021-06-17 09:59:08 -06:00
},
{
inputRoot: "/a",
inputPath: "/foo/bar",
caddyhttp: properly sanitize requests for root path (#6360) SanitizePathJoin protects against directory traversal attacks by checking for requests whose URL path look like they are trying to request something other than a local file, and returns the root directory in those cases. The method is also careful to ensure that requests which contain a trailing slash include a trailing slash in the returned value. However, for requests that contain only a slash (requests for the root path), the IsLocal check returns early before the matching trailing slash is re-added. This change updates SanitizePathJoin to only perform the filepath.IsLocal check if the cleaned request URL path is non-empty. --- This change also updates the existing SanitizePathJoin tests to use filepath.FromSlash rather than filepath.Join. This makes the expected value a little easier to read, but also has the advantage of not being processed by filepath.Clean like filepath.Join is. This means that the exact expect value will be compared, not the result of first cleaning it. Fixes #6352
2024-06-01 20:40:59 -07:00
expect: filepath.FromSlash("/a/foo/bar"),
caddyhttp: Refactor and export SanitizedPathJoin for use in fastcgi (#4207)
2021-06-17 09:59:08 -06:00
},
{
inputPath: "/foo/../bar",
expect: "bar",
},
{
inputRoot: "/a/b",
inputPath: "/foo/../bar",
caddyhttp: properly sanitize requests for root path (#6360) SanitizePathJoin protects against directory traversal attacks by checking for requests whose URL path look like they are trying to request something other than a local file, and returns the root directory in those cases. The method is also careful to ensure that requests which contain a trailing slash include a trailing slash in the returned value. However, for requests that contain only a slash (requests for the root path), the IsLocal check returns early before the matching trailing slash is re-added. This change updates SanitizePathJoin to only perform the filepath.IsLocal check if the cleaned request URL path is non-empty. --- This change also updates the existing SanitizePathJoin tests to use filepath.FromSlash rather than filepath.Join. This makes the expected value a little easier to read, but also has the advantage of not being processed by filepath.Clean like filepath.Join is. This means that the exact expect value will be compared, not the result of first cleaning it. Fixes #6352
2024-06-01 20:40:59 -07:00
expect: filepath.FromSlash("/a/b/bar"),
caddyhttp: Refactor and export SanitizedPathJoin for use in fastcgi (#4207)
2021-06-17 09:59:08 -06:00
},
{
inputRoot: "/a/b",
inputPath: "/..%2fbar",
caddyhttp: properly sanitize requests for root path (#6360) SanitizePathJoin protects against directory traversal attacks by checking for requests whose URL path look like they are trying to request something other than a local file, and returns the root directory in those cases. The method is also careful to ensure that requests which contain a trailing slash include a trailing slash in the returned value. However, for requests that contain only a slash (requests for the root path), the IsLocal check returns early before the matching trailing slash is re-added. This change updates SanitizePathJoin to only perform the filepath.IsLocal check if the cleaned request URL path is non-empty. --- This change also updates the existing SanitizePathJoin tests to use filepath.FromSlash rather than filepath.Join. This makes the expected value a little easier to read, but also has the advantage of not being processed by filepath.Clean like filepath.Join is. This means that the exact expect value will be compared, not the result of first cleaning it. Fixes #6352
2024-06-01 20:40:59 -07:00
expect: filepath.FromSlash("/a/b/bar"),
caddyhttp: Refactor and export SanitizedPathJoin for use in fastcgi (#4207)
2021-06-17 09:59:08 -06:00
},
{
inputRoot: "/a/b",
inputPath: "/%2e%2e%2fbar",
caddyhttp: properly sanitize requests for root path (#6360) SanitizePathJoin protects against directory traversal attacks by checking for requests whose URL path look like they are trying to request something other than a local file, and returns the root directory in those cases. The method is also careful to ensure that requests which contain a trailing slash include a trailing slash in the returned value. However, for requests that contain only a slash (requests for the root path), the IsLocal check returns early before the matching trailing slash is re-added. This change updates SanitizePathJoin to only perform the filepath.IsLocal check if the cleaned request URL path is non-empty. --- This change also updates the existing SanitizePathJoin tests to use filepath.FromSlash rather than filepath.Join. This makes the expected value a little easier to read, but also has the advantage of not being processed by filepath.Clean like filepath.Join is. This means that the exact expect value will be compared, not the result of first cleaning it. Fixes #6352
2024-06-01 20:40:59 -07:00
expect: filepath.FromSlash("/a/b/bar"),
caddyhttp: Refactor and export SanitizedPathJoin for use in fastcgi (#4207)
2021-06-17 09:59:08 -06:00
},
{
caddyhttp: properly sanitize requests for root path (#6360) SanitizePathJoin protects against directory traversal attacks by checking for requests whose URL path look like they are trying to request something other than a local file, and returns the root directory in those cases. The method is also careful to ensure that requests which contain a trailing slash include a trailing slash in the returned value. However, for requests that contain only a slash (requests for the root path), the IsLocal check returns early before the matching trailing slash is re-added. This change updates SanitizePathJoin to only perform the filepath.IsLocal check if the cleaned request URL path is non-empty. --- This change also updates the existing SanitizePathJoin tests to use filepath.FromSlash rather than filepath.Join. This makes the expected value a little easier to read, but also has the advantage of not being processed by filepath.Clean like filepath.Join is. This means that the exact expect value will be compared, not the result of first cleaning it. Fixes #6352
2024-06-01 20:40:59 -07:00
// inputPath fails the IsLocal test so only the root is returned,
// but with a trailing slash since one was included in inputPath
caddyhttp: Refactor and export SanitizedPathJoin for use in fastcgi (#4207)
2021-06-17 09:59:08 -06:00
inputRoot: "/a/b",
inputPath: "/%2e%2e%2f%2e%2e%2f",
caddyhttp: properly sanitize requests for root path (#6360) SanitizePathJoin protects against directory traversal attacks by checking for requests whose URL path look like they are trying to request something other than a local file, and returns the root directory in those cases. The method is also careful to ensure that requests which contain a trailing slash include a trailing slash in the returned value. However, for requests that contain only a slash (requests for the root path), the IsLocal check returns early before the matching trailing slash is re-added. This change updates SanitizePathJoin to only perform the filepath.IsLocal check if the cleaned request URL path is non-empty. --- This change also updates the existing SanitizePathJoin tests to use filepath.FromSlash rather than filepath.Join. This makes the expected value a little easier to read, but also has the advantage of not being processed by filepath.Clean like filepath.Join is. This means that the exact expect value will be compared, not the result of first cleaning it. Fixes #6352
2024-06-01 20:40:59 -07:00
expect: filepath.FromSlash("/a/b/"),
caddyhttp: Refactor and export SanitizedPathJoin for use in fastcgi (#4207)
2021-06-17 09:59:08 -06:00
},
caddyhttp: Test cases for `%2F` and `%252F` (#6084)
2024-02-07 05:13:17 -05:00
{
inputRoot: "/a/b",
inputPath: "/foo%2fbar",
caddyhttp: properly sanitize requests for root path (#6360) SanitizePathJoin protects against directory traversal attacks by checking for requests whose URL path look like they are trying to request something other than a local file, and returns the root directory in those cases. The method is also careful to ensure that requests which contain a trailing slash include a trailing slash in the returned value. However, for requests that contain only a slash (requests for the root path), the IsLocal check returns early before the matching trailing slash is re-added. This change updates SanitizePathJoin to only perform the filepath.IsLocal check if the cleaned request URL path is non-empty. --- This change also updates the existing SanitizePathJoin tests to use filepath.FromSlash rather than filepath.Join. This makes the expected value a little easier to read, but also has the advantage of not being processed by filepath.Clean like filepath.Join is. This means that the exact expect value will be compared, not the result of first cleaning it. Fixes #6352
2024-06-01 20:40:59 -07:00
expect: filepath.FromSlash("/a/b/foo/bar"),
caddyhttp: Test cases for `%2F` and `%252F` (#6084)
2024-02-07 05:13:17 -05:00
},
{
inputRoot: "/a/b",
inputPath: "/foo%252fbar",
caddyhttp: properly sanitize requests for root path (#6360) SanitizePathJoin protects against directory traversal attacks by checking for requests whose URL path look like they are trying to request something other than a local file, and returns the root directory in those cases. The method is also careful to ensure that requests which contain a trailing slash include a trailing slash in the returned value. However, for requests that contain only a slash (requests for the root path), the IsLocal check returns early before the matching trailing slash is re-added. This change updates SanitizePathJoin to only perform the filepath.IsLocal check if the cleaned request URL path is non-empty. --- This change also updates the existing SanitizePathJoin tests to use filepath.FromSlash rather than filepath.Join. This makes the expected value a little easier to read, but also has the advantage of not being processed by filepath.Clean like filepath.Join is. This means that the exact expect value will be compared, not the result of first cleaning it. Fixes #6352
2024-06-01 20:40:59 -07:00
expect: filepath.FromSlash("/a/b/foo%2fbar"),
caddyhttp: Test cases for `%2F` and `%252F` (#6084)
2024-02-07 05:13:17 -05:00
},
caddyhttp: Refactor and export SanitizedPathJoin for use in fastcgi (#4207)
2021-06-17 09:59:08 -06:00
{
inputRoot: "C:\\www",
inputPath: "/foo/bar",
expect: filepath.Join("C:\\www", "foo", "bar"),
},
{
caddyhttp: Address some Go 1.20 features (#6252) Co-authored-by: Francis Lavoie <lavofr@gmail.com>
2024-04-23 20:05:57 -04:00
inputRoot: "C:\\www",
inputPath: "/D:\\foo\\bar",
expect: filepath.Join("C:\\www", "D:\\foo\\bar"),
caddyhttp: Add test cases to corpus (#6374) * caddyhttp: Add test case to corpus * One more test case * Clean up stray comment * More tests
2024-06-04 14:23:55 -06:00
expectWindows: "C:\\www", // inputPath fails IsLocal on Windows
},
{
inputRoot: `C:\www`,
inputPath: `/..\windows\win.ini`,
expect: `C:\www/..\windows\win.ini`,
expectWindows: `C:\www`,
},
{
inputRoot: `C:\www`,
inputPath: `/..\..\..\..\..\..\..\..\..\..\windows\win.ini`,
expect: `C:\www/..\..\..\..\..\..\..\..\..\..\windows\win.ini`,
expectWindows: `C:\www`,
},
{
inputRoot: `C:\www`,
inputPath: `/..%5cwindows%5cwin.ini`,
expect: `C:\www/..\windows\win.ini`,
expectWindows: `C:\www`,
},
{
inputRoot: `C:\www`,
inputPath: `/..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows%5cwin.ini`,
expect: `C:\www/..\..\..\..\..\..\..\..\..\..\windows\win.ini`,
expectWindows: `C:\www`,
caddyhttp: Address some Go 1.20 features (#6252) Co-authored-by: Francis Lavoie <lavofr@gmail.com>
2024-04-23 20:05:57 -04:00
},
{
// https://github.com/golang/go/issues/56336#issuecomment-1416214885
inputRoot: "root",
inputPath: "/a/b/../../c",
caddyhttp: properly sanitize requests for root path (#6360) SanitizePathJoin protects against directory traversal attacks by checking for requests whose URL path look like they are trying to request something other than a local file, and returns the root directory in those cases. The method is also careful to ensure that requests which contain a trailing slash include a trailing slash in the returned value. However, for requests that contain only a slash (requests for the root path), the IsLocal check returns early before the matching trailing slash is re-added. This change updates SanitizePathJoin to only perform the filepath.IsLocal check if the cleaned request URL path is non-empty. --- This change also updates the existing SanitizePathJoin tests to use filepath.FromSlash rather than filepath.Join. This makes the expected value a little easier to read, but also has the advantage of not being processed by filepath.Clean like filepath.Join is. This means that the exact expect value will be compared, not the result of first cleaning it. Fixes #6352
2024-06-01 20:40:59 -07:00
expect: filepath.FromSlash("root/c"),
caddyhttp: Refactor and export SanitizedPathJoin for use in fastcgi (#4207)
2021-06-17 09:59:08 -06:00
},
} {
// we don't *need* to use an actual parsed URL, but it
// adds some authenticity to the tests since real-world
// values will be coming in from URLs; thus, the test
// corpus can contain paths as encoded by clients, which
// more closely emulates the actual attack vector
u, err := url.Parse("http://test:9999" + tc.inputPath)
if err != nil {
t.Fatalf("Test %d: invalid URL: %v", i, err)
}
actual := SanitizedPathJoin(tc.inputRoot, u.Path)
caddyhttp: Address some Go 1.20 features (#6252) Co-authored-by: Francis Lavoie <lavofr@gmail.com>
2024-04-23 20:05:57 -04:00
if runtime.GOOS == "windows" && tc.expectWindows != "" {
tc.expect = tc.expectWindows
}
caddyhttp: Refactor and export SanitizedPathJoin for use in fastcgi (#4207)
2021-06-17 09:59:08 -06:00
if actual != tc.expect {
fileserver: Reject ADS and short name paths; trim trailing dots and spaces on Windows (#5148) * fileserver: Reject ADS and short name paths * caddyhttp: Trim trailing space and dot on Windows Windows ignores trailing dots and spaces in filenames. * Fix test * Adjust path filters * Revert Windows test * Actually revert the test * Just check for colons
2022-10-18 21:55:25 -06:00
t.Errorf("Test %d: SanitizedPathJoin('%s', '%s') => '%s' (expected '%s')",
caddyhttp: Refactor and export SanitizedPathJoin for use in fastcgi (#4207)
2021-06-17 09:59:08 -06:00
i, tc.inputRoot, tc.inputPath, actual, tc.expect)
}
}
}
caddyhttp: Smarter path matching and rewriting (#4948) Co-authored-by: RussellLuo <luopeng.he@gmail.com>
2022-08-16 08:48:57 -06:00
func TestCleanPath(t *testing.T) {
for i, tc := range []struct {
input string
mergeSlashes bool
expect string
}{
{
input: "/foo",
expect: "/foo",
},
{
input: "/foo/",
expect: "/foo/",
},
{
input: "//foo",
expect: "//foo",
},
{
input: "//foo",
mergeSlashes: true,
expect: "/foo",
},
{
input: "/foo//bar/",
mergeSlashes: true,
expect: "/foo/bar/",
},
{
input: "/foo/./.././bar",
expect: "/bar",
},
{
input: "/foo//./..//./bar",
expect: "/foo//bar",
},
{
input: "/foo///./..//./bar",
expect: "/foo///bar",
},
{
input: "/foo///./..//.",
expect: "/foo//",
},
{
input: "/foo//./bar",
expect: "/foo//bar",
},
} {
actual := CleanPath(tc.input, tc.mergeSlashes)
if actual != tc.expect {
t.Errorf("Test %d [input='%s' mergeSlashes=%t]: Got '%s', expected '%s'",
i, tc.input, tc.mergeSlashes, actual, tc.expect)
}
}
}
Reference in a new issue Copy permalink