Fix deny encoded characters

Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>
2025-12-23 16:00:05 +01:00 · 2025-12-23 16:00:05 +01:00 · 90ce858347
commit 90ce858347
parent 8ebab1b243
21 changed files with 427 additions and 300 deletions
--- a/pkg/config/static/entrypoints.go
+++ b/pkg/config/static/entrypoints.go
@ -59,12 +59,12 @@ func (ep *EntryPoint) SetDefaults() {

 // HTTPConfig is the HTTP configuration of an entry point.
 type HTTPConfig struct {
-	Redirections          *Redirections     `description:"Set of redirection" json:"redirections,omitempty" toml:"redirections,omitempty" yaml:"redirections,omitempty" export:"true"`
-	Middlewares           []string          `description:"Default middlewares for the routers linked to the entry point." json:"middlewares,omitempty" toml:"middlewares,omitempty" yaml:"middlewares,omitempty" export:"true"`
-	TLS                   *TLSConfig        `description:"Default TLS configuration for the routers linked to the entry point." json:"tls,omitempty" toml:"tls,omitempty" yaml:"tls,omitempty" label:"allowEmpty" file:"allowEmpty" export:"true"`
-	EncodedCharacters     EncodedCharacters `description:"Defines which encoded characters are allowed in the request path." json:"encodedCharacters,omitempty" toml:"encodedCharacters,omitempty" yaml:"encodedCharacters,omitempty" export:"true"`
-	EncodeQuerySemicolons bool              `description:"Defines whether request query semicolons should be URLEncoded." json:"encodeQuerySemicolons,omitempty" toml:"encodeQuerySemicolons,omitempty" yaml:"encodeQuerySemicolons,omitempty" export:"true"`
-	SanitizePath          *bool             `description:"Defines whether to enable request path sanitization (removal of /./, /../ and multiple slash sequences)." json:"sanitizePath,omitempty" toml:"sanitizePath,omitempty" yaml:"sanitizePath,omitempty" export:"true"`
+	Redirections          *Redirections      `description:"Set of redirection" json:"redirections,omitempty" toml:"redirections,omitempty" yaml:"redirections,omitempty" export:"true"`
+	Middlewares           []string           `description:"Default middlewares for the routers linked to the entry point." json:"middlewares,omitempty" toml:"middlewares,omitempty" yaml:"middlewares,omitempty" export:"true"`
+	TLS                   *TLSConfig         `description:"Default TLS configuration for the routers linked to the entry point." json:"tls,omitempty" toml:"tls,omitempty" yaml:"tls,omitempty" label:"allowEmpty" file:"allowEmpty" export:"true"`
+	EncodedCharacters     *EncodedCharacters `description:"Defines which encoded characters are allowed in the request path." json:"encodedCharacters,omitempty" toml:"encodedCharacters,omitempty" yaml:"encodedCharacters,omitempty" export:"true"`
+	EncodeQuerySemicolons bool               `description:"Defines whether request query semicolons should be URLEncoded." json:"encodeQuerySemicolons,omitempty" toml:"encodeQuerySemicolons,omitempty" yaml:"encodeQuerySemicolons,omitempty" export:"true"`
+	SanitizePath          *bool              `description:"Defines whether to enable request path sanitization (removal of /./, /../ and multiple slash sequences)." json:"sanitizePath,omitempty" toml:"sanitizePath,omitempty" yaml:"sanitizePath,omitempty" export:"true"`
 }

 // SetDefaults sets the default values.
@ -84,39 +84,6 @@ type EncodedCharacters struct {
 	AllowEncodedHash          bool `description:"Defines whether requests with encoded hash characters in the path are allowed." json:"allowEncodedHash,omitempty" toml:"allowEncodedHash,omitempty" yaml:"allowEncodedHash,omitempty" export:"true"`
 }

-// Map returns a map of unallowed encoded characters.
-func (h *EncodedCharacters) Map() map[string]struct{} {
-	characters := make(map[string]struct{})
-
-	if !h.AllowEncodedSlash {
-		characters["%2F"] = struct{}{}
-		characters["%2f"] = struct{}{}
-	}
-	if !h.AllowEncodedBackSlash {
-		characters["%5C"] = struct{}{}
-		characters["%5c"] = struct{}{}
-	}
-	if !h.AllowEncodedNullCharacter {
-		characters["%00"] = struct{}{}
-	}
-	if !h.AllowEncodedSemicolon {
-		characters["%3B"] = struct{}{}
-		characters["%3b"] = struct{}{}
-	}
-	if !h.AllowEncodedPercent {
-		characters["%25"] = struct{}{}
-	}
-	if !h.AllowEncodedQuestionMark {
-		characters["%3F"] = struct{}{}
-		characters["%3f"] = struct{}{}
-	}
-	if !h.AllowEncodedHash {
-		characters["%23"] = struct{}{}
-	}
-
-	return characters
-}
-
 // HTTP2Config is the HTTP2 configuration of an entry point.
 type HTTP2Config struct {
 	MaxConcurrentStreams int32 `description:"Specifies the number of concurrent streams per connection that each client is allowed to initiate." json:"maxConcurrentStreams,omitempty" toml:"maxConcurrentStreams,omitempty" yaml:"maxConcurrentStreams,omitempty" export:"true"`
--- a/pkg/config/static/entrypoints_test.go
+++ b/pkg/config/static/entrypoints_test.go
@ -65,161 +65,3 @@ func TestEntryPointProtocol(t *testing.T) {
 		})
 	}
 }
-
-func TestEncodedCharactersMap(t *testing.T) {
-	tests := []struct {
-		name     string
-		config   EncodedCharacters
-		expected map[string]struct{}
-	}{
-		{
-			name: "Handles empty configuration",
-			expected: map[string]struct{}{
-				"%2F": {},
-				"%2f": {},
-				"%5C": {},
-				"%5c": {},
-				"%00": {},
-				"%3B": {},
-				"%3b": {},
-				"%25": {},
-				"%3F": {},
-				"%3f": {},
-				"%23": {},
-			},
-		},
-		{
-			name: "Exclude encoded slash when allowed",
-			config: EncodedCharacters{
-				AllowEncodedSlash: true,
-			},
-			expected: map[string]struct{}{
-				"%5C": {},
-				"%5c": {},
-				"%00": {},
-				"%3B": {},
-				"%3b": {},
-				"%25": {},
-				"%3F": {},
-				"%3f": {},
-				"%23": {},
-			},
-		},
-
-		{
-			name: "Exclude encoded backslash when allowed",
-			config: EncodedCharacters{
-				AllowEncodedBackSlash: true,
-			},
-			expected: map[string]struct{}{
-				"%2F": {},
-				"%2f": {},
-				"%00": {},
-				"%3B": {},
-				"%3b": {},
-				"%25": {},
-				"%3F": {},
-				"%3f": {},
-				"%23": {},
-			},
-		},
-
-		{
-			name: "Exclude encoded null character when allowed",
-			config: EncodedCharacters{
-				AllowEncodedNullCharacter: true,
-			},
-			expected: map[string]struct{}{
-				"%2F": {},
-				"%2f": {},
-				"%5C": {},
-				"%5c": {},
-				"%3B": {},
-				"%3b": {},
-				"%25": {},
-				"%3F": {},
-				"%3f": {},
-				"%23": {},
-			},
-		},
-		{
-			name: "Exclude encoded semicolon when allowed",
-			config: EncodedCharacters{
-				AllowEncodedSemicolon: true,
-			},
-			expected: map[string]struct{}{
-				"%2F": {},
-				"%2f": {},
-				"%5C": {},
-				"%5c": {},
-				"%00": {},
-				"%25": {},
-				"%3F": {},
-				"%3f": {},
-				"%23": {},
-			},
-		},
-		{
-			name: "Exclude encoded percent when allowed",
-			config: EncodedCharacters{
-				AllowEncodedPercent: true,
-			},
-			expected: map[string]struct{}{
-				"%2F": {},
-				"%2f": {},
-				"%5C": {},
-				"%5c": {},
-				"%00": {},
-				"%3B": {},
-				"%3b": {},
-				"%3F": {},
-				"%3f": {},
-				"%23": {},
-			},
-		},
-		{
-			name: "Exclude encoded question mark when allowed",
-			config: EncodedCharacters{
-				AllowEncodedQuestionMark: true,
-			},
-			expected: map[string]struct{}{
-				"%2F": {},
-				"%2f": {},
-				"%5C": {},
-				"%5c": {},
-				"%00": {},
-				"%3B": {},
-				"%3b": {},
-				"%25": {},
-				"%23": {},
-			},
-		},
-		{
-			name: "Exclude encoded hash when allowed",
-			config: EncodedCharacters{
-				AllowEncodedHash: true,
-			},
-			expected: map[string]struct{}{
-				"%2F": {},
-				"%2f": {},
-				"%5C": {},
-				"%5c": {},
-				"%00": {},
-				"%3B": {},
-				"%3b": {},
-				"%25": {},
-				"%3F": {},
-				"%3f": {},
-			},
-		},
-	}
-
-	for _, test := range tests {
-		t.Run(test.name, func(t *testing.T) {
-			t.Parallel()
-
-			result := test.config.Map()
-			require.Equal(t, test.expected, result)
-		})
-	}
-}