mirror of
https://github.com/status-im/consul.git
synced 2025-01-22 11:40:06 +00:00
Merge pull request #8900 from hashicorp/metrics-proxy-query
Actually proxy the query string too
This commit is contained in:
commit
47d7df5c91
@ -589,6 +589,9 @@ func (s *HTTPHandlers) UIMetricsProxy(resp http.ResponseWriter, req *http.Reques
|
||||
// double slashes etc.
|
||||
u.Path = path.Clean(u.Path)
|
||||
|
||||
// Pass through query params
|
||||
u.RawQuery = req.URL.RawQuery
|
||||
|
||||
// Validate that the full BaseURL is still a prefix - if there was a path
|
||||
// prefix on the BaseURL but an attacker tried to circumvent it with path
|
||||
// traversal then the Clean above would have resolve the /../ components back
|
||||
@ -613,6 +616,8 @@ func (s *HTTPHandlers) UIMetricsProxy(resp http.ResponseWriter, req *http.Reques
|
||||
req.Header.Set(h.Name, h.Value)
|
||||
}
|
||||
|
||||
log.Debug("proxying request", "to", u.String())
|
||||
|
||||
proxy := httputil.ReverseProxy{
|
||||
Director: func(r *http.Request) {
|
||||
r.URL = u
|
||||
|
@ -1566,6 +1566,10 @@ func TestUIEndpoint_MetricsProxy(t *testing.T) {
|
||||
w.Write([]byte("OK"))
|
||||
return
|
||||
}
|
||||
if r.URL.Path == "/some/prefix/query-echo" {
|
||||
w.Write([]byte("RawQuery: " + r.URL.RawQuery))
|
||||
return
|
||||
}
|
||||
if r.URL.Path == "/.passwd" {
|
||||
w.Write([]byte("SECRETS!"))
|
||||
return
|
||||
@ -1680,6 +1684,16 @@ func TestUIEndpoint_MetricsProxy(t *testing.T) {
|
||||
"Authorization": "SECRET_KEY",
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "passes through query params",
|
||||
config: config.UIMetricsProxy{
|
||||
BaseURL: backendURL,
|
||||
},
|
||||
// encoded=test[0]&&test[1]==!@£$%^
|
||||
path: endpointPath + "/query-echo?foo=bar&encoded=test%5B0%5D%26%26test%5B1%5D%3D%3D%21%40%C2%A3%24%25%5E",
|
||||
wantCode: http.StatusOK,
|
||||
wantContains: "RawQuery: foo=bar&encoded=test%5B0%5D%26%26test%5B1%5D%3D%3D%21%40%C2%A3%24%25%5E",
|
||||
},
|
||||
}
|
||||
|
||||
for _, tc := range cases {
|
||||
|
Loading…
x
Reference in New Issue
Block a user