From f11b759ddfb1c5189257a4105f8d9737e124d26b Mon Sep 17 00:00:00 2001 From: Paul Banks Date: Fri, 9 Oct 2020 12:25:17 +0100 Subject: [PATCH] Actually proxy the query string too --- agent/ui_endpoint.go | 5 +++++ agent/ui_endpoint_test.go | 14 ++++++++++++++ 2 files changed, 19 insertions(+) diff --git a/agent/ui_endpoint.go b/agent/ui_endpoint.go index 0b2e820b62..07729d99b3 100644 --- a/agent/ui_endpoint.go +++ b/agent/ui_endpoint.go @@ -589,6 +589,9 @@ func (s *HTTPHandlers) UIMetricsProxy(resp http.ResponseWriter, req *http.Reques // double slashes etc. u.Path = path.Clean(u.Path) + // Pass through query params + u.RawQuery = req.URL.RawQuery + // Validate that the full BaseURL is still a prefix - if there was a path // prefix on the BaseURL but an attacker tried to circumvent it with path // traversal then the Clean above would have resolve the /../ components back @@ -613,6 +616,8 @@ func (s *HTTPHandlers) UIMetricsProxy(resp http.ResponseWriter, req *http.Reques req.Header.Set(h.Name, h.Value) } + log.Debug("proxying request", "to", u.String()) + proxy := httputil.ReverseProxy{ Director: func(r *http.Request) { r.URL = u diff --git a/agent/ui_endpoint_test.go b/agent/ui_endpoint_test.go index 9cdbe02f8c..784b6e0db9 100644 --- a/agent/ui_endpoint_test.go +++ b/agent/ui_endpoint_test.go @@ -1566,6 +1566,10 @@ func TestUIEndpoint_MetricsProxy(t *testing.T) { w.Write([]byte("OK")) return } + if r.URL.Path == "/some/prefix/query-echo" { + w.Write([]byte("RawQuery: " + r.URL.RawQuery)) + return + } if r.URL.Path == "/.passwd" { w.Write([]byte("SECRETS!")) return @@ -1680,6 +1684,16 @@ func TestUIEndpoint_MetricsProxy(t *testing.T) { "Authorization": "SECRET_KEY", }, }, + { + name: "passes through query params", + config: config.UIMetricsProxy{ + BaseURL: backendURL, + }, + // encoded=test[0]&&test[1]==!@£$%^ + path: endpointPath + "/query-echo?foo=bar&encoded=test%5B0%5D%26%26test%5B1%5D%3D%3D%21%40%C2%A3%24%25%5E", + wantCode: http.StatusOK, + wantContains: "RawQuery: foo=bar&encoded=test%5B0%5D%26%26test%5B1%5D%3D%3D%21%40%C2%A3%24%25%5E", + }, } for _, tc := range cases {