codecov[bot]
commented
4 years ago Codecov Report
Merging #284 into master will increase coverage by
0.00%. The diff coverage is100.00%.
@@ Coverage Diff @@
## master #284 +/- ##
=======================================
Coverage 61.85% 61.85%
=======================================
Files 57 57
Lines 4637 4638 +1
=======================================
+ Hits 2868 2869 +1
Misses 1556 1556
Partials 213 213 Continue to review full report at Codecov.
Legend - Click here to learn more
Δ = absolute <relative> (impact),ø = not affected,? = missing dataPowered by Codecov. Last update f070dc5...de0300b. Read the comment docs.
katzdm
Problem
When proxying to a path with a %-encoded
/character (i.e.%2F), the Golanghttp.ServeMuxclass auto-unwraps the %-encoding. It then usespath.Clean()to "helpfully" normalize successive/characters (e.g./a/b//cto/a/b/c,/a/b/../cto/a, etc).Though admittedly an edge-case, the unintended side-effect is that a URL whose path contains a %-encoded URL will be proxied incorrectly. Fo instance, the URL
https://example.com/path/http:%2F%2Ffoo.com/will be proxied tohttps://example.com/path/http:/foo.com/.Solution
Replace use of
http.ServeMuxwith themux.Routerclass from the popular https://github.com/gorilla/mux library, which allows use ofURL.EscapedPath()in lieu of directly readingURL.Path. This preserves the %-wrapping of path-components, which in turn preventspath.Clean()from errantly rewriting the path.Notes
The motivating example derives from the popular open-source Jenkins project, which uses URLs in such a form to check the health of a reverse-proxy - Hence this bug causes a Jenkins instance behind an SSO deployment to report a "broken" reverse-proxy configuration.