Commit 7b5b1967 authored by Łukasz Nowak's avatar Łukasz Nowak

software/rapid-cdn: Protect against rouge websocket-path-list

parent f38eda19
Pipeline #28276 failed with stage
in 0 seconds
...@@ -30,7 +30,7 @@ md5sum = 3006197ddce87bd92866b76b5ce8ce08 ...@@ -30,7 +30,7 @@ md5sum = 3006197ddce87bd92866b76b5ce8ce08
[profile-slave-list] [profile-slave-list]
filename = instance-slave-list.cfg.in filename = instance-slave-list.cfg.in
md5sum = f6b3d4c6502cc0fa3a5021e436b4771b md5sum = 8289620cb32dbdfcca6ba112c7ec7b2b
[profile-master-publish-slave-information] [profile-master-publish-slave-information]
filename = instance-master-publish-slave-information.cfg.in filename = instance-master-publish-slave-information.cfg.in
......
...@@ -247,7 +247,7 @@ context = ...@@ -247,7 +247,7 @@ context =
{%- endif %} {%- endif %}
{%- endif %} {%- endif %}
{%- set websocket_path_list = [] %} {%- set websocket_path_list = [] %}
{%- for websocket_path in slave_instance.get('websocket-path-list', '').split() %} {%- for websocket_path in ('' ~ (slave_instance.get('websocket-path-list', '')) or '').split() %}
{%- set websocket_path = websocket_path.strip('/') %} {%- set websocket_path = websocket_path.strip('/') %}
{#- Unquote the path, so %20 and similar can be represented correctly #} {#- Unquote the path, so %20 and similar can be represented correctly #}
{%- set websocket_path = urllib_module.parse.unquote(websocket_path.strip()) %} {%- set websocket_path = urllib_module.parse.unquote(websocket_path.strip()) %}
......
...@@ -1799,6 +1799,23 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin, AtsMixin): ...@@ -1799,6 +1799,23 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin, AtsMixin):
'type': 'websocket', 'type': 'websocket',
'websocket-path-list': '////ws//// /with%20space/', 'websocket-path-list': '////ws//// /with%20space/',
}, },
'type-websocket-websocket-path-list-none': {
'url': cls.backend_url,
'type': 'websocket',
# Note: With reference SlapOS Master requesting
# 'websocket-path-list': '' leads to a problem, as the value for
# the partition is None (type: None), but with slapproxy it is
# required to use None (type: None) in the **request** to lead
# to the same problem. See also
# type-websocket-websocket-path-list-empty
'websocket-path-list': None,
},
'type-websocket-websocket-path-list-empty': {
'url': cls.backend_url,
'type': 'websocket',
# Note: See also type-websocket-websocket-path-list-none
'websocket-path-list': '',
},
'type-websocket-websocket-transparent-false': { 'type-websocket-websocket-transparent-false': {
'url': cls.backend_url, 'url': cls.backend_url,
'type': 'websocket', 'type': 'websocket',
...@@ -2084,9 +2101,9 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin, AtsMixin): ...@@ -2084,9 +2101,9 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin, AtsMixin):
'monitor-base-url': 'https://[%s]:8401' % self._ipv6_address, 'monitor-base-url': 'https://[%s]:8401' % self._ipv6_address,
'backend-client-caucase-url': 'http://[%s]:8990' % self._ipv6_address, 'backend-client-caucase-url': 'http://[%s]:8990' % self._ipv6_address,
'domain': 'example.com', 'domain': 'example.com',
'accepted-slave-amount': '60', 'accepted-slave-amount': '62',
'rejected-slave-amount': '0', 'rejected-slave-amount': '0',
'slave-amount': '60', 'slave-amount': '62',
'rejected-slave-dict': { 'rejected-slave-dict': {
}, },
'warning-slave-dict': { 'warning-slave-dict': {
...@@ -3293,12 +3310,9 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin, AtsMixin): ...@@ -3293,12 +3310,9 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin, AtsMixin):
self.assertTrue('x-real-ip' in j['Incoming Headers']) self.assertTrue('x-real-ip' in j['Incoming Headers'])
self.assertHttp1(parameter_dict['domain']) self.assertHttp1(parameter_dict['domain'])
def test_type_websocket(self): def _test_type_websocket(self, parameter_dict, path='test-path'):
parameter_dict = self.assertSlaveBase(
'type-websocket')
result = fakeHTTPSResult( result = fakeHTTPSResult(
parameter_dict['domain'], 'test-path', parameter_dict['domain'], path,
headers={'Connection': 'Upgrade'}) headers={'Connection': 'Upgrade'})
self.assertEqual( self.assertEqual(
...@@ -3308,7 +3322,7 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin, AtsMixin): ...@@ -3308,7 +3322,7 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin, AtsMixin):
self.assertEqualResultJson( self.assertEqualResultJson(
result, result,
'Path', 'Path',
'/test-path' '/' + path
) )
try: try:
j = result.json() j = result.json()
...@@ -3323,6 +3337,17 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin, AtsMixin): ...@@ -3323,6 +3337,17 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin, AtsMixin):
self.assertTrue('x-real-ip' in j['Incoming Headers']) self.assertTrue('x-real-ip' in j['Incoming Headers'])
self.assertHttp1(parameter_dict['domain']) self.assertHttp1(parameter_dict['domain'])
def test_type_websocket(self):
self._test_type_websocket(self.assertSlaveBase('type-websocket'))
def test_type_websocket_websocket_path_list_none(self):
self._test_type_websocket(self.assertSlaveBase(
'type-websocket-websocket-path-list-none'), 'None')
def test_type_websocket_websocket_path_list_empty(self):
self._test_type_websocket(self.assertSlaveBase(
'type-websocket-websocket-path-list-empty'))
def test_type_websocket_websocket_transparent_false(self): def test_type_websocket_websocket_transparent_false(self):
parameter_dict = self.assertSlaveBase( parameter_dict = self.assertSlaveBase(
'type-websocket-websocket-transparent-false') 'type-websocket-websocket-transparent-false')
......
...@@ -141,6 +141,12 @@ T-2/var/log/httpd/_type-redirect-custom_domain_access_log ...@@ -141,6 +141,12 @@ T-2/var/log/httpd/_type-redirect-custom_domain_access_log
T-2/var/log/httpd/_type-redirect-custom_domain_frontend_log T-2/var/log/httpd/_type-redirect-custom_domain_frontend_log
T-2/var/log/httpd/_type-redirect_access_log T-2/var/log/httpd/_type-redirect_access_log
T-2/var/log/httpd/_type-redirect_frontend_log T-2/var/log/httpd/_type-redirect_frontend_log
T-2/var/log/httpd/_type-websocket-websocket-path-list-empty_access_log
T-2/var/log/httpd/_type-websocket-websocket-path-list-empty_backend_log
T-2/var/log/httpd/_type-websocket-websocket-path-list-empty_frontend_log
T-2/var/log/httpd/_type-websocket-websocket-path-list-none_access_log
T-2/var/log/httpd/_type-websocket-websocket-path-list-none_backend_log
T-2/var/log/httpd/_type-websocket-websocket-path-list-none_frontend_log
T-2/var/log/httpd/_type-websocket-websocket-path-list-websocket-transparent-false_access_log T-2/var/log/httpd/_type-websocket-websocket-path-list-websocket-transparent-false_access_log
T-2/var/log/httpd/_type-websocket-websocket-path-list-websocket-transparent-false_backend_log T-2/var/log/httpd/_type-websocket-websocket-path-list-websocket-transparent-false_backend_log
T-2/var/log/httpd/_type-websocket-websocket-path-list-websocket-transparent-false_frontend_log T-2/var/log/httpd/_type-websocket-websocket-path-list-websocket-transparent-false_frontend_log
......
...@@ -141,6 +141,12 @@ T-2/var/log/httpd/_type-redirect-custom_domain_access_log ...@@ -141,6 +141,12 @@ T-2/var/log/httpd/_type-redirect-custom_domain_access_log
T-2/var/log/httpd/_type-redirect-custom_domain_frontend_log T-2/var/log/httpd/_type-redirect-custom_domain_frontend_log
T-2/var/log/httpd/_type-redirect_access_log T-2/var/log/httpd/_type-redirect_access_log
T-2/var/log/httpd/_type-redirect_frontend_log T-2/var/log/httpd/_type-redirect_frontend_log
T-2/var/log/httpd/_type-websocket-websocket-path-list-empty_access_log
T-2/var/log/httpd/_type-websocket-websocket-path-list-empty_backend_log
T-2/var/log/httpd/_type-websocket-websocket-path-list-empty_frontend_log
T-2/var/log/httpd/_type-websocket-websocket-path-list-none_access_log
T-2/var/log/httpd/_type-websocket-websocket-path-list-none_backend_log
T-2/var/log/httpd/_type-websocket-websocket-path-list-none_frontend_log
T-2/var/log/httpd/_type-websocket-websocket-path-list-websocket-transparent-false_access_log T-2/var/log/httpd/_type-websocket-websocket-path-list-websocket-transparent-false_access_log
T-2/var/log/httpd/_type-websocket-websocket-path-list-websocket-transparent-false_backend_log T-2/var/log/httpd/_type-websocket-websocket-path-list-websocket-transparent-false_backend_log
T-2/var/log/httpd/_type-websocket-websocket-path-list-websocket-transparent-false_frontend_log T-2/var/log/httpd/_type-websocket-websocket-path-list-websocket-transparent-false_frontend_log
......
...@@ -141,6 +141,12 @@ T-2/var/log/httpd/_type-redirect-custom_domain_access_log ...@@ -141,6 +141,12 @@ T-2/var/log/httpd/_type-redirect-custom_domain_access_log
T-2/var/log/httpd/_type-redirect-custom_domain_frontend_log T-2/var/log/httpd/_type-redirect-custom_domain_frontend_log
T-2/var/log/httpd/_type-redirect_access_log T-2/var/log/httpd/_type-redirect_access_log
T-2/var/log/httpd/_type-redirect_frontend_log T-2/var/log/httpd/_type-redirect_frontend_log
T-2/var/log/httpd/_type-websocket-websocket-path-list-empty_access_log
T-2/var/log/httpd/_type-websocket-websocket-path-list-empty_backend_log
T-2/var/log/httpd/_type-websocket-websocket-path-list-empty_frontend_log
T-2/var/log/httpd/_type-websocket-websocket-path-list-none_access_log
T-2/var/log/httpd/_type-websocket-websocket-path-list-none_backend_log
T-2/var/log/httpd/_type-websocket-websocket-path-list-none_frontend_log
T-2/var/log/httpd/_type-websocket-websocket-path-list-websocket-transparent-false_access_log T-2/var/log/httpd/_type-websocket-websocket-path-list-websocket-transparent-false_access_log
T-2/var/log/httpd/_type-websocket-websocket-path-list-websocket-transparent-false_backend_log T-2/var/log/httpd/_type-websocket-websocket-path-list-websocket-transparent-false_backend_log
T-2/var/log/httpd/_type-websocket-websocket-path-list-websocket-transparent-false_frontend_log T-2/var/log/httpd/_type-websocket-websocket-path-list-websocket-transparent-false_frontend_log
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment