software/rapid-cdn: Protect against rouge websocket-path-list

software/rapid-cdn/buildout.hash.cfg

@@ -30,7 +30,7 @@ md5sum = 3006197ddce87bd92866b76b5ce8ce08
 
 [profile-slave-list]
 filename = instance-slave-list.cfg.in
-md5sum = f6b3d4c6502cc0fa3a5021e436b4771b
+md5sum = 8289620cb32dbdfcca6ba112c7ec7b2b
 
 [profile-master-publish-slave-information]
 filename = instance-master-publish-slave-information.cfg.in

software/rapid-cdn/instance-slave-list.cfg.in

@@ -247,7 +247,7 @@ context =
 {%-     endif %}
 {%-   endif %}
 {%-   set websocket_path_list = [] %}
-{%-   for websocket_path in slave_instance.get('websocket-path-list', '').split() %}
+{%-   for websocket_path in ('' ~ (slave_instance.get('websocket-path-list', '')) or '').split() %}
 {%-     set websocket_path = websocket_path.strip('/') %}
 {#-   Unquote the path, so %20 and similar can be represented correctly #}
 {%-     set websocket_path = urllib_module.parse.unquote(websocket_path.strip()) %}

software/rapid-cdn/test/test.py

@@ -1799,6 +1799,23 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin, AtsMixin):
         'type': 'websocket',
         'websocket-path-list': '////ws//// /with%20space/',
       },
+      'type-websocket-websocket-path-list-none': {
+        'url': cls.backend_url,
+        'type': 'websocket',
+        # Note: With reference SlapOS Master requesting
+        #       'websocket-path-list': '' leads to a problem, as the value for
+        #       the partition is None (type: None), but with slapproxy it is
+        #       required to use None (type: None) in the **request** to lead
+        #       to the same problem. See also
+        #       type-websocket-websocket-path-list-empty
+        'websocket-path-list': None,
+      },
+      'type-websocket-websocket-path-list-empty': {
+        'url': cls.backend_url,
+        'type': 'websocket',
+        # Note: See also type-websocket-websocket-path-list-none
+        'websocket-path-list': '',
+      },
       'type-websocket-websocket-transparent-false': {
         'url': cls.backend_url,
         'type': 'websocket',
@@ -2084,9 +2101,9 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin, AtsMixin):
       'monitor-base-url': 'https://[%s]:8401' % self._ipv6_address,
       'backend-client-caucase-url': 'http://[%s]:8990' % self._ipv6_address,
       'domain': 'example.com',
-      'accepted-slave-amount': '60',
+      'accepted-slave-amount': '62',
       'rejected-slave-amount': '0',
-      'slave-amount': '60',
+      'slave-amount': '62',
       'rejected-slave-dict': {
       },
       'warning-slave-dict': {
@@ -3293,12 +3310,9 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin, AtsMixin):
     self.assertTrue('x-real-ip' in j['Incoming Headers'])
     self.assertHttp1(parameter_dict['domain'])
 
-  def test_type_websocket(self):
-    parameter_dict = self.assertSlaveBase(
-      'type-websocket')
-
+  def _test_type_websocket(self, parameter_dict, path='test-path'):
     result = fakeHTTPSResult(
-      parameter_dict['domain'], 'test-path',
+      parameter_dict['domain'], path,
       headers={'Connection': 'Upgrade'})
 
     self.assertEqual(
@@ -3308,7 +3322,7 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin, AtsMixin):
     self.assertEqualResultJson(
       result,
       'Path',
-      '/test-path'
+      '/' + path
     )
     try:
       j = result.json()
@@ -3323,6 +3337,17 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin, AtsMixin):
     self.assertTrue('x-real-ip' in j['Incoming Headers'])
     self.assertHttp1(parameter_dict['domain'])
 
+  def test_type_websocket(self):
+    self._test_type_websocket(self.assertSlaveBase('type-websocket'))
+
+  def test_type_websocket_websocket_path_list_none(self):
+    self._test_type_websocket(self.assertSlaveBase(
+      'type-websocket-websocket-path-list-none'), 'None')
+
+  def test_type_websocket_websocket_path_list_empty(self):
+    self._test_type_websocket(self.assertSlaveBase(
+      'type-websocket-websocket-path-list-empty'))
+
   def test_type_websocket_websocket_transparent_false(self):
     parameter_dict = self.assertSlaveBase(
       'type-websocket-websocket-transparent-false')

software/rapid-cdn/test/test_data/test.TestEnableHttp2ByDefaultFalseSlave.test00file_list_log.txt

@@ -141,6 +141,12 @@ T-2/var/log/httpd/_type-redirect-custom_domain_access_log
 T-2/var/log/httpd/_type-redirect-custom_domain_frontend_log
 T-2/var/log/httpd/_type-redirect_access_log
 T-2/var/log/httpd/_type-redirect_frontend_log
+T-2/var/log/httpd/_type-websocket-websocket-path-list-empty_access_log
+T-2/var/log/httpd/_type-websocket-websocket-path-list-empty_backend_log
+T-2/var/log/httpd/_type-websocket-websocket-path-list-empty_frontend_log
+T-2/var/log/httpd/_type-websocket-websocket-path-list-none_access_log
+T-2/var/log/httpd/_type-websocket-websocket-path-list-none_backend_log
+T-2/var/log/httpd/_type-websocket-websocket-path-list-none_frontend_log
 T-2/var/log/httpd/_type-websocket-websocket-path-list-websocket-transparent-false_access_log
 T-2/var/log/httpd/_type-websocket-websocket-path-list-websocket-transparent-false_backend_log
 T-2/var/log/httpd/_type-websocket-websocket-path-list-websocket-transparent-false_frontend_log

software/rapid-cdn/test/test_data/test.TestSlave.test00file_list_log.txt

@@ -141,6 +141,12 @@ T-2/var/log/httpd/_type-redirect-custom_domain_access_log
 T-2/var/log/httpd/_type-redirect-custom_domain_frontend_log
 T-2/var/log/httpd/_type-redirect_access_log
 T-2/var/log/httpd/_type-redirect_frontend_log
+T-2/var/log/httpd/_type-websocket-websocket-path-list-empty_access_log
+T-2/var/log/httpd/_type-websocket-websocket-path-list-empty_backend_log
+T-2/var/log/httpd/_type-websocket-websocket-path-list-empty_frontend_log
+T-2/var/log/httpd/_type-websocket-websocket-path-list-none_access_log
+T-2/var/log/httpd/_type-websocket-websocket-path-list-none_backend_log
+T-2/var/log/httpd/_type-websocket-websocket-path-list-none_frontend_log
 T-2/var/log/httpd/_type-websocket-websocket-path-list-websocket-transparent-false_access_log
 T-2/var/log/httpd/_type-websocket-websocket-path-list-websocket-transparent-false_backend_log
 T-2/var/log/httpd/_type-websocket-websocket-path-list-websocket-transparent-false_frontend_log

software/rapid-cdn/test/test_data/test.TestSlaveHttp3.test00file_list_log.txt

@@ -141,6 +141,12 @@ T-2/var/log/httpd/_type-redirect-custom_domain_access_log
 T-2/var/log/httpd/_type-redirect-custom_domain_frontend_log
 T-2/var/log/httpd/_type-redirect_access_log
 T-2/var/log/httpd/_type-redirect_frontend_log
+T-2/var/log/httpd/_type-websocket-websocket-path-list-empty_access_log
+T-2/var/log/httpd/_type-websocket-websocket-path-list-empty_backend_log
+T-2/var/log/httpd/_type-websocket-websocket-path-list-empty_frontend_log
+T-2/var/log/httpd/_type-websocket-websocket-path-list-none_access_log
+T-2/var/log/httpd/_type-websocket-websocket-path-list-none_backend_log
+T-2/var/log/httpd/_type-websocket-websocket-path-list-none_frontend_log
 T-2/var/log/httpd/_type-websocket-websocket-path-list-websocket-transparent-false_access_log
 T-2/var/log/httpd/_type-websocket-websocket-path-list-websocket-transparent-false_backend_log
 T-2/var/log/httpd/_type-websocket-websocket-path-list-websocket-transparent-false_frontend_log