Print access logs for rejected requests and warn about new behavior

2025-12-16 16:20:05 +01:00 · 2025-12-16 16:20:05 +01:00 · 60b19b7b81
commit 60b19b7b81
parent e0e49533ab
10 changed files with 371 additions and 147 deletions
--- a/pkg/server/router/router.go
+++ b/pkg/server/router/router.go
@ -36,25 +36,34 @@ type serviceManager interface {

 // Manager A route/router manager.
 type Manager struct {
-	routerHandlers     map[string]http.Handler
-	serviceManager     serviceManager
-	metricsRegistry    metrics.Registry
-	middlewaresBuilder middlewareBuilder
-	chainBuilder       *middleware.ChainBuilder
-	conf               *runtime.Configuration
-	tlsManager         *tls.Manager
+	routerHandlers              map[string]http.Handler
+	serviceManager              serviceManager
+	metricsRegistry             metrics.Registry
+	middlewaresBuilder          middlewareBuilder
+	chainBuilder                *middleware.ChainBuilder
+	conf                        *runtime.Configuration
+	tlsManager                  *tls.Manager
+	deniedEncodedPathCharacters map[string]map[string]struct{}
 }

 // NewManager creates a new Manager.
-func NewManager(conf *runtime.Configuration, serviceManager serviceManager, middlewaresBuilder middlewareBuilder, chainBuilder *middleware.ChainBuilder, metricsRegistry metrics.Registry, tlsManager *tls.Manager) *Manager {
+func NewManager(conf *runtime.Configuration,
+	serviceManager serviceManager,
+	middlewaresBuilder middlewareBuilder,
+	chainBuilder *middleware.ChainBuilder,
+	metricsRegistry metrics.Registry,
+	tlsManager *tls.Manager,
+	deniedEncodedPathCharacters map[string]map[string]struct{},
+) *Manager {
 	return &Manager{
-		routerHandlers:     make(map[string]http.Handler),
-		serviceManager:     serviceManager,
-		metricsRegistry:    metricsRegistry,
-		middlewaresBuilder: middlewaresBuilder,
-		chainBuilder:       chainBuilder,
-		conf:               conf,
-		tlsManager:         tlsManager,
+		routerHandlers:              make(map[string]http.Handler),
+		serviceManager:              serviceManager,
+		metricsRegistry:             metricsRegistry,
+		middlewaresBuilder:          middlewaresBuilder,
+		chainBuilder:                chainBuilder,
+		conf:                        conf,
+		tlsManager:                  tlsManager,
+		deniedEncodedPathCharacters: deniedEncodedPathCharacters,
 	}
 }

@ -73,7 +82,7 @@ func (m *Manager) BuildHandlers(rootCtx context.Context, entryPoints []string, t
 	for entryPointName, routers := range m.getHTTPRouters(rootCtx, entryPoints, tls) {
 		ctx := log.With(rootCtx, log.Str(log.EntryPointName, entryPointName))

-		handler, err := m.buildEntryPointHandler(ctx, routers)
+		handler, err := m.buildEntryPointHandler(ctx, entryPointName, routers)
 		if err != nil {
 			log.FromContext(ctx).Error(err)
 			continue
@ -109,7 +118,7 @@ func (m *Manager) BuildHandlers(rootCtx context.Context, entryPoints []string, t
 	return entryPointHandlers
 }

-func (m *Manager) buildEntryPointHandler(ctx context.Context, configs map[string]*runtime.RouterInfo) (http.Handler, error) {
+func (m *Manager) buildEntryPointHandler(ctx context.Context, entryPointName string, configs map[string]*runtime.RouterInfo) (http.Handler, error) {
 	muxer, err := httpmuxer.NewMuxer()
 	if err != nil {
 		return nil, err
@ -126,7 +135,7 @@ func (m *Manager) buildEntryPointHandler(ctx context.Context, configs map[string
 			continue
 		}

-		handler, err := m.buildRouterHandler(ctxRouter, routerName, routerConfig)
+		handler, err := m.buildRouterHandler(ctxRouter, entryPointName, routerName, routerConfig)
 		if err != nil {
 			routerConfig.AddError(err, true)
 			logger.Error(err)
@ -151,7 +160,7 @@ func (m *Manager) buildEntryPointHandler(ctx context.Context, configs map[string
 	return chain.Then(muxer)
 }

-func (m *Manager) buildRouterHandler(ctx context.Context, routerName string, routerConfig *runtime.RouterInfo) (http.Handler, error) {
+func (m *Manager) buildRouterHandler(ctx context.Context, entryPointName, routerName string, routerConfig *runtime.RouterInfo) (http.Handler, error) {
 	if handler, ok := m.routerHandlers[routerName]; ok {
 		return handler, nil
 	}
@ -167,7 +176,7 @@ func (m *Manager) buildRouterHandler(ctx context.Context, routerName string, rou
 		}
 	}

-	handler, err := m.buildHTTPHandler(ctx, routerConfig, routerName)
+	handler, err := m.buildHTTPHandler(ctx, routerConfig, entryPointName, routerName)
 	if err != nil {
 		return nil, err
 	}
@ -185,7 +194,7 @@ func (m *Manager) buildRouterHandler(ctx context.Context, routerName string, rou
 	return m.routerHandlers[routerName], nil
 }

-func (m *Manager) buildHTTPHandler(ctx context.Context, router *runtime.RouterInfo, routerName string) (http.Handler, error) {
+func (m *Manager) buildHTTPHandler(ctx context.Context, router *runtime.RouterInfo, entryPointName, routerName string) (http.Handler, error) {
 	var qualifiedNames []string
 	for _, name := range router.Middlewares {
 		qualifiedNames = append(qualifiedNames, provider.GetQualifiedName(ctx, name))
@ -217,6 +226,15 @@ func (m *Manager) buildHTTPHandler(ctx context.Context, router *runtime.RouterIn
 		chain = chain.Append(denyrouterrecursion.WrapHandler(routerName))
 	}

+	// Here we are adding deny handlers for encoded path characters and fragment.
+	// Deny handler are only added for root routers, child routers are protected by their parent router deny handlers.
+	chain = chain.Append(func(next http.Handler) (http.Handler, error) {
+		return denyFragment(next), nil
+	})
+	chain = chain.Append(func(next http.Handler) (http.Handler, error) {
+		return denyEncodedPathCharacters(m.deniedEncodedPathCharacters[entryPointName], next), nil
+	})
+
 	return chain.Extend(*mHandler).Append(tHandler).Then(sHandler)
 }