Sanitize request path

2025-04-17 10:02:04 +02:00 · 2025-04-17 10:02:04 +02:00 · dd5cb68cb1
commit dd5cb68cb1
parent 299a16f0a4
12 changed files with 278 additions and 17 deletions
--- a/integration/fixtures/simple_clean_path.toml
+++ b/integration/fixtures/simple_clean_path.toml
@ -0,0 +1,41 @@
+[global]
+  checkNewVersion = false
+  sendAnonymousUsage = false
+
+[entryPoints]
+  [entryPoints.web]
+    address = ":8000"
+  [entryPoints.web2]
+    address = ":8001"
+    [entryPoints.web2.http]
+      sanitizePath = false
+
+[log]
+  level = "DEBUG"
+
+[api]
+  insecure = true
+
+[providers.file]
+  filename = "{{ .SelfFilename }}"
+
+# dynamic configuration
+[http.routers]
+  [http.routers.without]
+    rule = "PathPrefix(`/without`)"
+    service = "whoami"
+
+  [http.routers.with]
+    rule = "PathPrefix(`/with`)"
+    middlewares = ["test-redirectscheme"]
+    service = "whoami"
+
+[http.middlewares]
+  [http.middlewares.test-redirectscheme.redirectScheme]
+    scheme = "https"
+    permanent = false
+
+[http.services]
+  [http.services.whoami.loadBalancer]
+    [[http.services.whoami.loadBalancer.servers]]
+      url = "{{ .Server1 }}"
--- a/integration/https_test.go
+++ b/integration/https_test.go
@ -937,11 +937,6 @@ func (s *HTTPSSuite) TestEntryPointHttpsRedirectAndPathModification() {
 			hosts: []string{"example.com", "example2.com", "foo.com", "foo2.com", "bar.com", "bar2.com"},
 			path:  "/api/",
 		},
-		{
-			desc:  "Stripped URL with double trailing slash redirect",
-			hosts: []string{"example.com", "example2.com", "foo.com", "foo2.com", "bar.com", "bar2.com"},
-			path:  "/api//",
-		},
 		{
 			desc:  "Stripped URL with path redirect",
 			hosts: []string{"example.com", "example2.com", "foo.com", "foo2.com", "bar.com", "bar2.com"},
@ -952,21 +947,11 @@ func (s *HTTPSSuite) TestEntryPointHttpsRedirectAndPathModification() {
 			hosts: []string{"example.com", "example2.com", "foo.com", "foo2.com", "bar.com", "bar2.com"},
 			path:  "/api/bacon/",
 		},
-		{
-			desc:  "Stripped URL with path and double trailing slash redirect",
-			hosts: []string{"example.com", "example2.com", "foo.com", "foo2.com", "bar.com", "bar2.com"},
-			path:  "/api/bacon//",
-		},
 		{
 			desc:  "Root Path with redirect",
 			hosts: []string{"test.com", "test2.com", "pow.com", "pow2.com"},
 			path:  "/",
 		},
-		{
-			desc:  "Root Path with double trailing slash redirect",
-			hosts: []string{"test.com", "test2.com", "pow.com", "pow2.com"},
-			path:  "//",
-		},
 		{
 			desc:  "Path modify with redirect",
 			hosts: []string{"test.com", "test2.com", "pow.com", "pow2.com"},
--- a/integration/simple_test.go
+++ b/integration/simple_test.go
@ -1385,3 +1385,88 @@ func (s *SimpleSuite) TestDenyFragment() {
 	require.NoError(s.T(), err)
 	assert.Equal(s.T(), http.StatusBadRequest, resp.StatusCode)
 }
+
+func (s *SimpleSuite) TestSanitizePath() {
+	s.createComposeProject("base")
+
+	s.composeUp()
+	defer s.composeDown()
+
+	whoami1URL := "http://" + net.JoinHostPort(s.getComposeServiceIP("whoami1"), "80")
+
+	file := s.adaptFile("fixtures/simple_clean_path.toml", struct {
+		Server1 string
+	}{whoami1URL})
+
+	s.traefikCmd(withConfigFile(file))
+
+	err := try.GetRequest("http://127.0.0.1:8080/api/rawdata", 1*time.Second, try.BodyContains("PathPrefix(`/with`)"))
+	require.NoError(s.T(), err)
+
+	testCases := []struct {
+		desc     string
+		request  string
+		target   string
+		body     string
+		expected int
+	}{
+		{
+			desc:     "Explicit call to the route with a middleware",
+			request:  "GET /with HTTP/1.1\r\nHost: other.localhost\r\n\r\n",
+			target:   "127.0.0.1:8000",
+			expected: http.StatusFound,
+		},
+		{
+			desc:     "Explicit call to the route without a middleware",
+			request:  "GET /without HTTP/1.1\r\nHost: other.localhost\r\n\r\n",
+			target:   "127.0.0.1:8000",
+			expected: http.StatusOK,
+			body:     "GET /without HTTP/1.1",
+		},
+		{
+			desc:     "Implicit call to the route with a middleware",
+			request:  "GET /without/../with HTTP/1.1\r\nHost: other.localhost\r\n\r\n",
+			target:   "127.0.0.1:8000",
+			expected: http.StatusFound,
+		},
+		{
+			desc:     "Explicit call to the route with a middleware, and disable path sanitization",
+			request:  "GET /with HTTP/1.1\r\nHost: other.localhost\r\n\r\n",
+			target:   "127.0.0.1:8001",
+			expected: http.StatusFound,
+		},
+		{
+			desc:     "Explicit call to the route without a middleware, and disable path sanitization",
+			request:  "GET /without HTTP/1.1\r\nHost: other.localhost\r\n\r\n",
+			target:   "127.0.0.1:8001",
+			expected: http.StatusOK,
+			body:     "GET /without HTTP/1.1",
+		},
+		{
+			desc:    "Implicit call to the route with a middleware, and disable path sanitization",
+			request: "GET /without/../with HTTP/1.1\r\nHost: other.localhost\r\n\r\n",
+			target:  "127.0.0.1:8001",
+			// The whoami is redirecting to /with, but the path is not sanitized.
+			expected: http.StatusMovedPermanently,
+		},
+	}
+
+	for _, test := range testCases {
+		conn, err := net.Dial("tcp", test.target)
+		require.NoError(s.T(), err)
+
+		_, err = conn.Write([]byte(test.request))
+		require.NoError(s.T(), err)
+
+		resp, err := http.ReadResponse(bufio.NewReader(conn), nil)
+		require.NoError(s.T(), err)
+
+		assert.Equalf(s.T(), test.expected, resp.StatusCode, "%s failed with %d instead of %d", test.desc, resp.StatusCode, test.expected)
+
+		if test.body != "" {
+			body, err := io.ReadAll(resp.Body)
+			require.NoError(s.T(), err)
+			assert.Contains(s.T(), string(body), test.body)
+		}
+	}
+}