mirror of
https://github.com/status-im/consul.git
synced 2025-01-22 11:40:06 +00:00
Merge pull request #8900 from hashicorp/metrics-proxy-query
Actually proxy the query string too
This commit is contained in:
commit
47d7df5c91
@ -589,6 +589,9 @@ func (s *HTTPHandlers) UIMetricsProxy(resp http.ResponseWriter, req *http.Reques
|
|||||||
// double slashes etc.
|
// double slashes etc.
|
||||||
u.Path = path.Clean(u.Path)
|
u.Path = path.Clean(u.Path)
|
||||||
|
|
||||||
|
// Pass through query params
|
||||||
|
u.RawQuery = req.URL.RawQuery
|
||||||
|
|
||||||
// Validate that the full BaseURL is still a prefix - if there was a path
|
// Validate that the full BaseURL is still a prefix - if there was a path
|
||||||
// prefix on the BaseURL but an attacker tried to circumvent it with path
|
// prefix on the BaseURL but an attacker tried to circumvent it with path
|
||||||
// traversal then the Clean above would have resolve the /../ components back
|
// traversal then the Clean above would have resolve the /../ components back
|
||||||
@ -613,6 +616,8 @@ func (s *HTTPHandlers) UIMetricsProxy(resp http.ResponseWriter, req *http.Reques
|
|||||||
req.Header.Set(h.Name, h.Value)
|
req.Header.Set(h.Name, h.Value)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
log.Debug("proxying request", "to", u.String())
|
||||||
|
|
||||||
proxy := httputil.ReverseProxy{
|
proxy := httputil.ReverseProxy{
|
||||||
Director: func(r *http.Request) {
|
Director: func(r *http.Request) {
|
||||||
r.URL = u
|
r.URL = u
|
||||||
|
@ -1566,6 +1566,10 @@ func TestUIEndpoint_MetricsProxy(t *testing.T) {
|
|||||||
w.Write([]byte("OK"))
|
w.Write([]byte("OK"))
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
if r.URL.Path == "/some/prefix/query-echo" {
|
||||||
|
w.Write([]byte("RawQuery: " + r.URL.RawQuery))
|
||||||
|
return
|
||||||
|
}
|
||||||
if r.URL.Path == "/.passwd" {
|
if r.URL.Path == "/.passwd" {
|
||||||
w.Write([]byte("SECRETS!"))
|
w.Write([]byte("SECRETS!"))
|
||||||
return
|
return
|
||||||
@ -1680,6 +1684,16 @@ func TestUIEndpoint_MetricsProxy(t *testing.T) {
|
|||||||
"Authorization": "SECRET_KEY",
|
"Authorization": "SECRET_KEY",
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
name: "passes through query params",
|
||||||
|
config: config.UIMetricsProxy{
|
||||||
|
BaseURL: backendURL,
|
||||||
|
},
|
||||||
|
// encoded=test[0]&&test[1]==!@£$%^
|
||||||
|
path: endpointPath + "/query-echo?foo=bar&encoded=test%5B0%5D%26%26test%5B1%5D%3D%3D%21%40%C2%A3%24%25%5E",
|
||||||
|
wantCode: http.StatusOK,
|
||||||
|
wantContains: "RawQuery: foo=bar&encoded=test%5B0%5D%26%26test%5B1%5D%3D%3D%21%40%C2%A3%24%25%5E",
|
||||||
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
for _, tc := range cases {
|
for _, tc := range cases {
|
||||||
|
Loading…
x
Reference in New Issue
Block a user