Sanitize request path

2025-04-17 10:02:04 +02:00 · 2025-04-17 10:02:04 +02:00 · dd5cb68cb1
commit dd5cb68cb1
parent 299a16f0a4
12 changed files with 278 additions and 17 deletions
--- a/pkg/server/server_entrypoint_tcp_test.go
+++ b/pkg/server/server_entrypoint_tcp_test.go
@ -8,6 +8,7 @@ import (
 	"io"
 	"net"
 	"net/http"
+	"net/http/httptest"
 	"strings"
 	"testing"
 	"time"
@ -382,3 +383,44 @@ func TestKeepAliveH2c(t *testing.T) {
 	// to change.
 	require.Contains(t, err.Error(), "use of closed network connection")
 }
+
+func TestSanitizePath(t *testing.T) {
+	tests := []struct {
+		path     string
+		expected string
+	}{
+		{path: "/b", expected: "/b"},
+		{path: "/b/", expected: "/b/"},
+		{path: "/../../b/", expected: "/b/"},
+		{path: "/../../b", expected: "/b"},
+		{path: "/a/b/..", expected: "/a"},
+		{path: "/a/b/../", expected: "/a/"},
+		{path: "/a/../../b", expected: "/b"},
+		{path: "/..///b///", expected: "/b/"},
+		{path: "/a/../b", expected: "/b"},
+		{path: "/a/./b", expected: "/a/b"},
+		{path: "/a//b", expected: "/a/b"},
+		{path: "/a/../../b", expected: "/b"},
+		{path: "/a/../c/../b", expected: "/b"},
+		{path: "/a/../../../c/../b", expected: "/b"},
+		{path: "/a/../c/../../b", expected: "/b"},
+		{path: "/a/..//c/.././b", expected: "/b"},
+	}
+
+	for _, test := range tests {
+		t.Run("Testing case: "+test.path, func(t *testing.T) {
+			t.Parallel()
+
+			var callCount int
+			clean := sanitizePath(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				callCount++
+				assert.Equal(t, test.expected, r.URL.Path)
+			}))
+
+			request := httptest.NewRequest(http.MethodGet, "http://foo"+test.path, http.NoBody)
+			clean.ServeHTTP(httptest.NewRecorder(), request)
+
+			assert.Equal(t, 1, callCount)
+		})
+	}
+}