Drop untrusted X-Forwarded-Prefix header

Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>
2024-11-08 12:12:35 +01:00 · 2024-11-08 12:12:35 +01:00 · 2096fd7081
commit 2096fd7081
parent 6f18344c56
4 changed files with 31 additions and 65 deletions
--- a/pkg/api/dashboard/dashboard.go
+++ b/pkg/api/dashboard/dashboard.go
@ -3,7 +3,7 @@ package dashboard
 import (
 	"io/fs"
 	"net/http"
-	"net/url"
+	"strings"

 	"github.com/gorilla/mux"
 	"github.com/traefik/traefik/v2/webui"
@ -25,7 +25,8 @@ func Append(router *mux.Router, customAssets fs.FS) {
 	router.Methods(http.MethodGet).
 		Path("/").
 		HandlerFunc(func(resp http.ResponseWriter, req *http.Request) {
-			http.Redirect(resp, req, safePrefix(req)+"/dashboard/", http.StatusFound)
+			prefix := strings.TrimSuffix(req.Header.Get("X-Forwarded-Prefix"), "/")
+			http.Redirect(resp, req, prefix+"/dashboard/", http.StatusFound)
 		})

 	router.Methods(http.MethodGet).
@ -48,21 +49,3 @@ func (g Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("Content-Security-Policy", "frame-src 'self' https://traefik.io https://*.traefik.io;")
 	http.FileServerFS(assets).ServeHTTP(w, r)
 }
-
-func safePrefix(req *http.Request) string {
-	prefix := req.Header.Get("X-Forwarded-Prefix")
-	if prefix == "" {
-		return ""
-	}
-
-	parse, err := url.Parse(prefix)
-	if err != nil {
-		return ""
-	}
-
-	if parse.Host != "" {
-		return ""
-	}
-
-	return parse.Path
-}