Reject suspicious encoded characters

Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>
2025-12-04 15:10:05 +01:00 · 2025-12-04 15:10:05 +01:00 · 4d7d627319
commit 4d7d627319
parent 0b6438b7c0
20 changed files with 804 additions and 22 deletions
--- a/docs/content/reference/static-configuration/cli-ref.md
+++ b/docs/content/reference/static-configuration/cli-ref.md
@ -123,6 +123,30 @@ Trust only forwarded headers from selected IPs.
 `--entrypoints.<name>.http`:  
 HTTP configuration.

+`--entrypoints.<name>.http.encodedcharacters`:  
+Defines which encoded characters are allowed in the request path.
+
+`--entrypoints.<name>.http.encodedcharacters.allowencodedbackslash`:  
+Defines whether requests with encoded back slash characters in the path are allowed. (Default: ```false```)
+
+`--entrypoints.<name>.http.encodedcharacters.allowencodedhash`:  
+Defines whether requests with encoded hash characters in the path are allowed. (Default: ```false```)
+
+`--entrypoints.<name>.http.encodedcharacters.allowencodednullcharacter`:  
+Defines whether requests with encoded null characters in the path are allowed. (Default: ```false```)
+
+`--entrypoints.<name>.http.encodedcharacters.allowencodedpercent`:  
+Defines whether requests with encoded percent characters in the path are allowed. (Default: ```false```)
+
+`--entrypoints.<name>.http.encodedcharacters.allowencodedquestionmark`:  
+Defines whether requests with encoded question mark characters in the path are allowed. (Default: ```false```)
+
+`--entrypoints.<name>.http.encodedcharacters.allowencodedsemicolon`:  
+Defines whether requests with encoded semicolon characters in the path are allowed. (Default: ```false```)
+
+`--entrypoints.<name>.http.encodedcharacters.allowencodedslash`:  
+Defines whether requests with encoded slash characters in the path are allowed. (Default: ```false```)
+
 `--entrypoints.<name>.http.encodequerysemicolons`:  
 Defines whether request query semicolons should be URLEncoded. (Default: ```false```)

--- a/docs/content/reference/static-configuration/env-ref.md
+++ b/docs/content/reference/static-configuration/env-ref.md
@ -132,6 +132,30 @@ HTTP/3 configuration. (Default: ```false```)
 `TRAEFIK_ENTRYPOINTS_<NAME>_HTTP3_ADVERTISEDPORT`:  
 UDP port to advertise, on which HTTP/3 is available. (Default: ```0```)

+`TRAEFIK_ENTRYPOINTS_<NAME>_HTTP_ENCODEDCHARACTERS`:  
+Defines which encoded characters are allowed in the request path.
+
+`TRAEFIK_ENTRYPOINTS_<NAME>_HTTP_ENCODEDCHARACTERS_ALLOWENCODEDBACKSLASH`:  
+Defines whether requests with encoded back slash characters in the path are allowed. (Default: ```false```)
+
+`TRAEFIK_ENTRYPOINTS_<NAME>_HTTP_ENCODEDCHARACTERS_ALLOWENCODEDHASH`:  
+Defines whether requests with encoded hash characters in the path are allowed. (Default: ```false```)
+
+`TRAEFIK_ENTRYPOINTS_<NAME>_HTTP_ENCODEDCHARACTERS_ALLOWENCODEDNULLCHARACTER`:  
+Defines whether requests with encoded null characters in the path are allowed. (Default: ```false```)
+
+`TRAEFIK_ENTRYPOINTS_<NAME>_HTTP_ENCODEDCHARACTERS_ALLOWENCODEDPERCENT`:  
+Defines whether requests with encoded percent characters in the path are allowed. (Default: ```false```)
+
+`TRAEFIK_ENTRYPOINTS_<NAME>_HTTP_ENCODEDCHARACTERS_ALLOWENCODEDQUESTIONMARK`:  
+Defines whether requests with encoded question mark characters in the path are allowed. (Default: ```false```)
+
+`TRAEFIK_ENTRYPOINTS_<NAME>_HTTP_ENCODEDCHARACTERS_ALLOWENCODEDSEMICOLON`:  
+Defines whether requests with encoded semicolon characters in the path are allowed. (Default: ```false```)
+
+`TRAEFIK_ENTRYPOINTS_<NAME>_HTTP_ENCODEDCHARACTERS_ALLOWENCODEDSLASH`:  
+Defines whether requests with encoded slash characters in the path are allowed. (Default: ```false```)
+
 `TRAEFIK_ENTRYPOINTS_<NAME>_HTTP_ENCODEQUERYSEMICOLONS`:  
 Defines whether request query semicolons should be URLEncoded. (Default: ```false```)

--- a/docs/content/reference/static-configuration/file.toml
+++ b/docs/content/reference/static-configuration/file.toml
@ -55,6 +55,14 @@
        [[entryPoints.EntryPoint0.http.tls.domains]]
          main = "foobar"
          sans = ["foobar", "foobar"]
+      [entryPoints.EntryPoint0.http.encodedCharacters]
+        allowEncodedSlash = true
+        allowEncodedBackSlash = true
+        allowEncodedNullCharacter = true
+        allowEncodedSemicolon = true
+        allowEncodedPercent = true
+        allowEncodedQuestionMark = true
+        allowEncodedHash = true
    [entryPoints.EntryPoint0.http2]
      maxConcurrentStreams = 42
    [entryPoints.EntryPoint0.http3]
--- a/docs/content/reference/static-configuration/file.yaml
+++ b/docs/content/reference/static-configuration/file.yaml
@ -62,6 +62,14 @@ entryPoints:
            sans:
              - foobar
              - foobar
+      encodedCharacters:
+        allowEncodedSlash: true
+        allowEncodedBackSlash: true
+        allowEncodedNullCharacter: true
+        allowEncodedSemicolon: true
+        allowEncodedPercent: true
+        allowEncodedQuestionMark: true
+        allowEncodedHash: true
      encodeQuerySemicolons: true
      sanitizePath: true
    http2: