-
Notifications
You must be signed in to change notification settings - Fork 4.8k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Provide the HTTP path normalization per RFC 3986 (sans case normalization). This addresses CVE-2019-9901. The config HttpConnectionManager.normalize_path needs to be set for each HCM configuration to enable (default is off). There is also a runtime optione http_connection_manager.normalize_path to change this default when not set in HCM. Risk level: Low Testing: New unit and integration tests added. Signed-off-by: Yuchen Dai <silentdai@gmail.com> Signed-off-by: Harvey Tuch <htuch@google.com>
- Loading branch information
Showing
23 changed files
with
617 additions
and
6 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,55 @@ | ||
#include "common/http/path_utility.h" | ||
|
||
#include "common/chromium_url/url_canon.h" | ||
#include "common/chromium_url/url_canon_stdstring.h" | ||
#include "common/common/logger.h" | ||
|
||
#include "absl/strings/string_view.h" | ||
#include "absl/types/optional.h" | ||
|
||
namespace Envoy { | ||
namespace Http { | ||
|
||
namespace { | ||
absl::optional<std::string> canonicalizePath(absl::string_view original_path) { | ||
std::string canonical_path; | ||
url::Component in_component(0, original_path.size()); | ||
url::Component out_component; | ||
url::StdStringCanonOutput output(&canonical_path); | ||
if (!url::CanonicalizePath(original_path.data(), in_component, &output, &out_component)) { | ||
return absl::nullopt; | ||
} else { | ||
output.Complete(); | ||
return absl::make_optional(std::move(canonical_path)); | ||
} | ||
} | ||
} // namespace | ||
|
||
/* static */ | ||
bool PathUtil::canonicalPath(HeaderEntry& path_header) { | ||
const auto original_path = path_header.value().getStringView(); | ||
// canonicalPath is supposed to apply on path component in URL instead of :path header | ||
const auto query_pos = original_path.find('?'); | ||
auto normalized_path_opt = canonicalizePath( | ||
query_pos == original_path.npos | ||
? original_path | ||
: absl::string_view(original_path.data(), query_pos) // '?' is not included | ||
); | ||
|
||
if (!normalized_path_opt.has_value()) { | ||
return false; | ||
} | ||
auto& normalized_path = normalized_path_opt.value(); | ||
const absl::string_view query_suffix = | ||
query_pos == original_path.npos | ||
? absl::string_view{} | ||
: absl::string_view{original_path.data() + query_pos, original_path.size() - query_pos}; | ||
if (query_suffix.size() > 0) { | ||
normalized_path.insert(normalized_path.end(), query_suffix.begin(), query_suffix.end()); | ||
} | ||
path_header.value(std::move(normalized_path)); | ||
return true; | ||
} | ||
|
||
} // namespace Http | ||
} // namespace Envoy |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
#pragma once | ||
|
||
#include "envoy/http/header_map.h" | ||
|
||
namespace Envoy { | ||
namespace Http { | ||
|
||
/** | ||
* Path helper extracted from chromium project. | ||
*/ | ||
class PathUtil { | ||
public: | ||
// Returns if the normalization succeeds. | ||
// If it is successful, the param will be updated with the normalized path. | ||
static bool canonicalPath(HeaderEntry& path_header); | ||
}; | ||
|
||
} // namespace Http | ||
} // namespace Envoy |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.