fix: block arbitrary file index (#2497)

commit: bfc9c310f7a64609f5046af5a017762e9d34a1ee [log] [tgz]
author: Zeping Bai <bzp2010@apache.org> Wed Jul 06 16:02:38 2022 +0800
committer: GitHub <noreply@github.com> Wed Jul 06 16:02:38 2022 +0800
tree: 97de7d03440aabb123b35c0827f711119ebb6f91
parent: 36f1ba9a069d9351ccff5ba61cf38a8d642edb39 [diff]
diff --git a/api/test/e2e/gzip/gzip_suite_test.go b/api/internal/filter/invalid_request.go
similarity index 66%
copy from api/test/e2e/gzip/gzip_suite_test.go
copy to api/internal/filter/invalid_request.go
index 13380cf..8c1ebc5 100644
--- a/api/test/e2e/gzip/gzip_suite_test.go
+++ b/api/internal/filter/invalid_request.go

@@ -14,16 +14,28 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package gzip_test
+package filter
 
 import (
-	"testing"
+	"net/url"
+	"strings"
 
-	. "github.com/onsi/ginkgo"
-	. "github.com/onsi/gomega"
+	"github.com/gin-gonic/gin"
 )
 
-func TestGzip(t *testing.T) {
-	RegisterFailHandler(Fail)
-	RunSpecs(t, "gzip suite")
+// InvalidRequest provides a filtering mechanism for illegitimate requests
+func InvalidRequest() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		if !checkURL(c.Request.URL) {
+			c.AbortWithStatus(403)
+		}
+		c.Next()
+	}
+}
+
+func checkURL(url *url.URL) bool {
+	if strings.Contains(url.Path, "..") {
+		return false
+	}
+	return true
 }

diff --git a/api/test/e2e/gzip/gzip_suite_test.go b/api/internal/filter/invalid_request_test.go
similarity index 71%
copy from api/test/e2e/gzip/gzip_suite_test.go
copy to api/internal/filter/invalid_request_test.go
index 13380cf..986a791 100644
--- a/api/test/e2e/gzip/gzip_suite_test.go
+++ b/api/internal/filter/invalid_request_test.go

@@ -14,16 +14,17 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package gzip_test
+package filter
 
 import (
+	"net/url"
 	"testing"
 
-	. "github.com/onsi/ginkgo"
-	. "github.com/onsi/gomega"
+	"github.com/stretchr/testify/assert"
 )
 
-func TestGzip(t *testing.T) {
-	RegisterFailHandler(Fail)
-	RunSpecs(t, "gzip suite")
+func TestURLCheck_double_dot(t *testing.T) {
+	assert.Equal(t, false, checkURL(&url.URL{Path: "../../../etc/hosts"}))
+	assert.Equal(t, false, checkURL(&url.URL{Path: "/../../../etc/hosts"}))
+	assert.Equal(t, true, checkURL(&url.URL{Path: "/etc/hosts"}))
 }

diff --git a/api/internal/route.go b/api/internal/route.go
index 7eddc9c..6f7e136 100644
--- a/api/internal/route.go
+++ b/api/internal/route.go

@@ -57,8 +57,11 @@
 	}
 	r := gin.New()
 	logger := log.GetLogger(log.AccessLog)
-	r.Use(gzip.Gzip(gzip.DefaultCompression))
-	r.Use(filter.CORS(), filter.RequestId(), filter.IPFilter(), filter.RequestLogHandler(logger), filter.SchemaCheck(), filter.RecoverHandler(), filter.Authentication())
+	// security
+	r.Use(filter.RequestLogHandler(logger), filter.IPFilter(), filter.InvalidRequest(), filter.Authentication())
+
+	// misc
+	r.Use(gzip.Gzip(gzip.DefaultCompression), filter.CORS(), filter.RequestId(), filter.SchemaCheck(), filter.RecoverHandler())
 	r.Use(static.Serve("/", static.LocalFile(filepath.Join(conf.WorkDir, conf.WebDir), false)))
 	r.NoRoute(func(c *gin.Context) {
 		c.File(fmt.Sprintf("%s/index.html", filepath.Join(conf.WorkDir, conf.WebDir)))

diff --git a/api/test/e2e/gzip/gzip_test.go b/api/test/e2e/middlewares/gzip_test.go
similarity index 90%
rename from api/test/e2e/gzip/gzip_test.go
rename to api/test/e2e/middlewares/gzip_test.go
index fbacc27..f346f10 100644
--- a/api/test/e2e/gzip/gzip_test.go
+++ b/api/test/e2e/middlewares/gzip_test.go

@@ -14,18 +14,18 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package gzip
+package middlewares_test
 
 import (
 	"net/http"
 
-	"github.com/onsi/ginkgo"
+	. "github.com/onsi/ginkgo"
 
 	"github.com/apisix/manager-api/test/e2e/base"
 )
 
-var _ = ginkgo.Describe("Gzip enable", func() {
-	ginkgo.It("get index.html", func() {
+var _ = Describe("Gzip enable", func() {
+	It("get index.html", func() {
 		base.RunTestCase(base.HttpTestCase{
 			Object:        base.ManagerApiExpect(),
 			Method:        http.MethodGet,

diff --git a/api/test/e2e/gzip/gzip_test.go b/api/test/e2e/middlewares/invalid_request_test.go
similarity index 63%
copy from api/test/e2e/gzip/gzip_test.go
copy to api/test/e2e/middlewares/invalid_request_test.go
index fbacc27..7b6cf43 100644
--- a/api/test/e2e/gzip/gzip_test.go
+++ b/api/test/e2e/middlewares/invalid_request_test.go

@@ -14,24 +14,29 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package gzip
+package middlewares_test
 
 import (
 	"net/http"
 
-	"github.com/onsi/ginkgo"
+	. "github.com/onsi/ginkgo"
 
 	"github.com/apisix/manager-api/test/e2e/base"
 )
 
-var _ = ginkgo.Describe("Gzip enable", func() {
-	ginkgo.It("get index.html", func() {
+var _ = Describe("Invalid Request", func() {
+	It("double dot in URL path (arbitrary file index)", func() {
 		base.RunTestCase(base.HttpTestCase{
-			Object:        base.ManagerApiExpect(),
-			Method:        http.MethodGet,
-			Path:          "/",
-			Headers:       map[string]string{"Accept-Encoding": "gzip, deflate, br"},
-			ExpectHeaders: map[string]string{"Content-Encoding": "gzip"},
+			Object:       base.ManagerApiExpect(),
+			Method:       http.MethodGet,
+			Path:         "/../../../../etc/hosts",
+			ExpectStatus: http.StatusForbidden,
+		})
+		base.RunTestCase(base.HttpTestCase{
+			Object:       base.ManagerApiExpect(),
+			Method:       http.MethodGet,
+			Path:         "/.%2e/%2e%2e/../etc/hosts",
+			ExpectStatus: http.StatusForbidden,
 		})
 	})
 })

diff --git a/api/test/e2e/gzip/gzip_suite_test.go b/api/test/e2e/middlewares/middlewares_suite_test.go
similarity index 89%
rename from api/test/e2e/gzip/gzip_suite_test.go
rename to api/test/e2e/middlewares/middlewares_suite_test.go
index 13380cf..0bdcebb 100644
--- a/api/test/e2e/gzip/gzip_suite_test.go
+++ b/api/test/e2e/middlewares/middlewares_suite_test.go

@@ -14,7 +14,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package gzip_test
+package middlewares_test
 
 import (
 	"testing"
@@ -23,7 +23,7 @@
 	. "github.com/onsi/gomega"
 )
 
-func TestGzip(t *testing.T) {
+func TestMiddlewares(t *testing.T) {
 	RegisterFailHandler(Fail)
-	RunSpecs(t, "gzip suite")
+	RunSpecs(t, "Middlewares Suite")
 }
commit	bfc9c310f7a64609f5046af5a017762e9d34a1ee	[log] [tgz]
author	Zeping Bai <bzp2010@apache.org>	Wed Jul 06 16:02:38 2022 +0800
committer	GitHub <noreply@github.com>	Wed Jul 06 16:02:38 2022 +0800
tree	97de7d03440aabb123b35c0827f711119ebb6f91
parent	36f1ba9a069d9351ccff5ba61cf38a8d642edb39 [diff]