search

motiv-labs / janus

An API Gateway written in Go
https://hellofresh.gitbooks.io/janus
MIT License
2.77k stars 319 forks source link

Janus is encoding already encoded URL in reverse-proxy.go #499

Open namitaofficial22 opened 1 month ago

namitaofficial22 commented 1 month ago

[Short description of problem here] If curl is done with http://example.com/a%2Fv (to imitate request from a web UI), Janus is sending a%%252Fv to the upstream server.

Reproduction Steps:

  1. Set httpd configuration to allowedEncodedSlash as true and rewriterule with [P, NE]
  2. Bring up apigateway
  3. Send curl command like http://example.com/a%2Fv
  4. Upstream is getting path as a%252Fv and rejecting the request.

Expected behavior: URL should not be encoded with rewriterule as [P, NE] and Proxypass as nocanon.

[Describe expected behavior here] In reverse_proxy.go, found some strange code which might be causing this issue. I could reproduce the issue in a simple golang code.

            log.WithField("path", path).Debug("Upstream Path")
            req.URL.Path = path

When we set path(a%2Fv) in the above line, and then call req.URL.RequestURI() it is giving escaped path(a%252Fv) .

Observed behavior:

Sample output with the golang program:

Program Snippet: func main() { // Get the full request URI req, _ := http.NewRequest("GET", "http://example.com/a%2Fv", nil) requestURI := req.URL.RequestURI()

// Print the request URI
fmt.Println("Request URI: \n", requestURI)
req.URL.Path = "a%2Fv"
fmt.Println("After URI: \n", req.URL.RequestURI())

}

O/p: Request URI: /a%2Fv After URI: a%252Fv

Janus version: [Enter Atom version here] OS and version: [Enter OS name and version here]