Merge branch 'sh-avoid-trailing-slash-in-proxy' into 'master'

Omit trailing slash when proxying pre-authorized routes with no suffix See merge request gitlab-org/gitlab!61638

Merge branch 'sh-avoid-trailing-slash-in-proxy' into 'master'
Omit trailing slash when proxying pre-authorized routes with no suffix See merge request gitlab-org/gitlab!61638
fe7e3723 · Nick Thomas · b10f0478 · 79fc9f2b · fe7e3723 · fe7e3723
Commit fe7e3723 authored May 13, 2021 by Nick Thomas
3 changed files
--- a/changelogs/unreleased/sh-avoid-trailing-slash-in-proxy.yml
+++ b/changelogs/unreleased/sh-avoid-trailing-slash-in-proxy.yml
+---
+title: Omit trailing slash when proxying pre-authorized routes with no suffix
+merge_request: 61638
+author:
+type: fixed
--- a/workhorse/internal/api/api.go
+++ b/workhorse/internal/api/api.go
@@ -168,7 +168,10 @@ func singleJoiningSlash(a, b string) string {

 // joinURLPath is taken from reverseproxy.go:joinURLPath
 func joinURLPath(a *url.URL, b string) (path string, rawpath string) {
-	if a.RawPath == "" && b == "" {
+	// Avoid adding a trailing slash if the suffix is empty
+	if b == "" {
+		return a.Path, a.RawPath
+	} else if a.RawPath == "" {
 		return singleJoiningSlash(a.Path, b), ""
 	}


--- a/workhorse/main_test.go
+++ b/workhorse/main_test.go
@@ -536,7 +536,11 @@ func TestApiContentTypeBlock(t *testing.T) {
 func TestAPIFalsePositivesAreProxied(t *testing.T) {
 	goodResponse := []byte(`<html></html>`)
 	ts := testhelper.TestServerWithHandler(regexp.MustCompile(`.`), func(w http.ResponseWriter, r *http.Request) {
-		if r.Header.Get(secret.RequestHeader) != "" && r.Method != "GET" {
+		url := r.URL.String()
+		if url[len(url)-1] == '/' {
+			w.WriteHeader(500)
+			w.Write([]byte("PreAuthorize request included a trailing slash"))
+		} else if r.Header.Get(secret.RequestHeader) != "" && r.Method != "GET" {
 			w.WriteHeader(500)
 			w.Write([]byte("non-GET request went through PreAuthorize handler"))
 		} else {