homelab/traefik
1
0
Fork 0
Code Activity

Fix deny encoded characters

Browse source 
Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>
This commit is contained in:
Romain 2025-12-23 16:02:04 +01:00 committed by GitHub
parent 8e6ce08f33
commit 23788e90cb
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
21 changed files with 435 additions and 303 deletions
Download patch file Download diff file Expand all files Collapse all files

47
pkg/config/static/entrypoints.go
View file

@ -65,13 +65,13 @@ func (ep *EntryPoint) SetDefaults() {
// HTTPConfig is the HTTP configuration of an entry point.
type HTTPConfig struct {
Redirections *Redirections `description:"Set of redirection" json:"redirections,omitempty" toml:"redirections,omitempty" yaml:"redirections,omitempty" export:"true"`
Middlewares []string `description:"Default middlewares for the routers linked to the entry point." json:"middlewares,omitempty" toml:"middlewares,omitempty" yaml:"middlewares,omitempty" export:"true"`
TLS *TLSConfig `description:"Default TLS configuration for the routers linked to the entry point." json:"tls,omitempty" toml:"tls,omitempty" yaml:"tls,omitempty" label:"allowEmpty" file:"allowEmpty" export:"true"`
EncodedCharacters EncodedCharacters `description:"Defines which encoded characters are allowed in the request path." json:"encodedCharacters,omitempty" toml:"encodedCharacters,omitempty" yaml:"encodedCharacters,omitempty" export:"true"`
EncodeQuerySemicolons bool `description:"Defines whether request query semicolons should be URLEncoded." json:"encodeQuerySemicolons,omitempty" toml:"encodeQuerySemicolons,omitempty" yaml:"encodeQuerySemicolons,omitempty" export:"true"`
SanitizePath *bool `description:"Defines whether to enable request path sanitization (removal of /./, /../ and multiple slash sequences)." json:"sanitizePath,omitempty" toml:"sanitizePath,omitempty" yaml:"sanitizePath,omitempty" export:"true"`
MaxHeaderBytes int `description:"Maximum size of request headers in bytes." json:"maxHeaderBytes,omitempty" toml:"maxHeaderBytes,omitempty" yaml:"maxHeaderBytes,omitempty" export:"true"`
Redirections *Redirections `description:"Set of redirection" json:"redirections,omitempty" toml:"redirections,omitempty" yaml:"redirections,omitempty" export:"true"`
Middlewares []string `description:"Default middlewares for the routers linked to the entry point." json:"middlewares,omitempty" toml:"middlewares,omitempty" yaml:"middlewares,omitempty" export:"true"`
TLS *TLSConfig `description:"Default TLS configuration for the routers linked to the entry point." json:"tls,omitempty" toml:"tls,omitempty" yaml:"tls,omitempty" label:"allowEmpty" file:"allowEmpty" export:"true"`
EncodedCharacters *EncodedCharacters `description:"Defines which encoded characters are allowed in the request path." json:"encodedCharacters,omitempty" toml:"encodedCharacters,omitempty" yaml:"encodedCharacters,omitempty" export:"true"`
EncodeQuerySemicolons bool `description:"Defines whether request query semicolons should be URLEncoded." json:"encodeQuerySemicolons,omitempty" toml:"encodeQuerySemicolons,omitempty" yaml:"encodeQuerySemicolons,omitempty" export:"true"`
SanitizePath *bool `description:"Defines whether to enable request path sanitization (removal of /./, /../ and multiple slash sequences)." json:"sanitizePath,omitempty" toml:"sanitizePath,omitempty" yaml:"sanitizePath,omitempty" export:"true"`
MaxHeaderBytes int `description:"Maximum size of request headers in bytes." json:"maxHeaderBytes,omitempty" toml:"maxHeaderBytes,omitempty" yaml:"maxHeaderBytes,omitempty" export:"true"`
}
// SetDefaults sets the default values.
@ -92,39 +92,6 @@ type EncodedCharacters struct {
AllowEncodedHash bool `description:"Defines whether requests with encoded hash characters in the path are allowed." json:"allowEncodedHash,omitempty" toml:"allowEncodedHash,omitempty" yaml:"allowEncodedHash,omitempty" export:"true"`
}
// Map returns a map of unallowed encoded characters.
func (h *EncodedCharacters) Map() map[string]struct{} {
characters := make(map[string]struct{})
if !h.AllowEncodedSlash {
characters["%2F"] = struct{}{}
characters["%2f"] = struct{}{}
}
if !h.AllowEncodedBackSlash {
characters["%5C"] = struct{}{}
characters["%5c"] = struct{}{}
}
if !h.AllowEncodedNullCharacter {
characters["%00"] = struct{}{}
}
if !h.AllowEncodedSemicolon {
characters["%3B"] = struct{}{}
characters["%3b"] = struct{}{}
}
if !h.AllowEncodedPercent {
characters["%25"] = struct{}{}
}
if !h.AllowEncodedQuestionMark {
characters["%3F"] = struct{}{}
characters["%3f"] = struct{}{}
}
if !h.AllowEncodedHash {
characters["%23"] = struct{}{}
}
return characters
}
// HTTP2Config is the HTTP2 configuration of an entry point.
type HTTP2Config struct {
MaxConcurrentStreams int32 `description:"Specifies the number of concurrent streams per connection that each client is allowed to initiate." json:"maxConcurrentStreams,omitempty" toml:"maxConcurrentStreams,omitempty" yaml:"maxConcurrentStreams,omitempty" export:"true"`

158
pkg/config/static/entrypoints_test.go
View file

@ -65,161 +65,3 @@ func TestEntryPointProtocol(t *testing.T) {
})
}
}
func TestEncodedCharactersMap(t *testing.T) {
tests := []struct {
name string
config EncodedCharacters
expected map[string]struct{}
}{
{
name: "Handles empty configuration",
expected: map[string]struct{}{
"%2F": {},
"%2f": {},
"%5C": {},
"%5c": {},
"%00": {},
"%3B": {},
"%3b": {},
"%25": {},
"%3F": {},
"%3f": {},
"%23": {},
},
},
{
name: "Exclude encoded slash when allowed",
config: EncodedCharacters{
AllowEncodedSlash: true,
},
expected: map[string]struct{}{
"%5C": {},
"%5c": {},
"%00": {},
"%3B": {},
"%3b": {},
"%25": {},
"%3F": {},
"%3f": {},
"%23": {},
},
},
{
name: "Exclude encoded backslash when allowed",
config: EncodedCharacters{
AllowEncodedBackSlash: true,
},
expected: map[string]struct{}{
"%2F": {},
"%2f": {},
"%00": {},
"%3B": {},
"%3b": {},
"%25": {},
"%3F": {},
"%3f": {},
"%23": {},
},
},
{
name: "Exclude encoded null character when allowed",
config: EncodedCharacters{
AllowEncodedNullCharacter: true,
},
expected: map[string]struct{}{
"%2F": {},
"%2f": {},
"%5C": {},
"%5c": {},
"%3B": {},
"%3b": {},
"%25": {},
"%3F": {},
"%3f": {},
"%23": {},
},
},
{
name: "Exclude encoded semicolon when allowed",
config: EncodedCharacters{
AllowEncodedSemicolon: true,
},
expected: map[string]struct{}{
"%2F": {},
"%2f": {},
"%5C": {},
"%5c": {},
"%00": {},
"%25": {},
"%3F": {},
"%3f": {},
"%23": {},
},
},
{
name: "Exclude encoded percent when allowed",
config: EncodedCharacters{
AllowEncodedPercent: true,
},
expected: map[string]struct{}{
"%2F": {},
"%2f": {},
"%5C": {},
"%5c": {},
"%00": {},
"%3B": {},
"%3b": {},
"%3F": {},
"%3f": {},
"%23": {},
},
},
{
name: "Exclude encoded question mark when allowed",
config: EncodedCharacters{
AllowEncodedQuestionMark: true,
},
expected: map[string]struct{}{
"%2F": {},
"%2f": {},
"%5C": {},
"%5c": {},
"%00": {},
"%3B": {},
"%3b": {},
"%25": {},
"%23": {},
},
},
{
name: "Exclude encoded hash when allowed",
config: EncodedCharacters{
AllowEncodedHash: true,
},
expected: map[string]struct{}{
"%2F": {},
"%2f": {},
"%5C": {},
"%5c": {},
"%00": {},
"%3B": {},
"%3b": {},
"%25": {},
"%3F": {},
"%3f": {},
},
},
}
for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
t.Parallel()
result := test.config.Map()
require.Equal(t, test.expected, result)
})
}
}