caddy-frontend: Validate backend url stricter

c6fbeaeb · Łukasz Nowak · b81ed2ea · c6fbeaeb · c6fbeaeb · c6fbeaeb
Commit c6fbeaeb authored Jul 14, 2020 by Łukasz Nowak
3 changed files
--- a/software/caddy-frontend/buildout.hash.cfg
+++ b/software/caddy-frontend/buildout.hash.cfg
@@ -26,7 +26,7 @@ md5sum = 23237969bbd9e974ac674b2052e8d67c

 [template-caddy-replicate]
 filename = instance-apache-replicate.cfg.in
-md5sum = 5dabdbf51d20bf9e9e277e5b84d58b7e
+md5sum = dac4ed5b4c95b6905f48bab8769ca236

 [template-slave-list]
 _update_hash_filename_ = templates/apache-custom-slave-list.cfg.in

--- a/software/caddy-frontend/instance-apache-replicate.cfg.in
+++ b/software/caddy-frontend/instance-apache-replicate.cfg.in
@@ -138,12 +138,12 @@ context =
 {%     do slave.__setitem__('server-alias', ' '.join(slave_server_alias_unclashed)) %}
 {%   endif %}
 {%   if slave.get('url') %}
-{%     if subprocess_module.call([caddy_backend_url_validator, '' ~ slave['url']]) == 1 %}
+{%     if subprocess_module.call([caddy_backend_url_validator, '' ~ slave['url']]) == 1 or not validators.url('' ~ slave['url']) %}
 {%       do slave_error_list.append('slave url %r invalid' % (slave['url'],)) %}
 {%     endif %}
 {%   endif %}
 {%   if slave.get('https-url') %}
-{%     if subprocess_module.call([caddy_backend_url_validator, '' ~ slave['https-url']]) == 1 %}
+{%     if subprocess_module.call([caddy_backend_url_validator, '' ~ slave['https-url']]) == 1 or not validators.url('' ~ slave['https-url']) %}
 {%       do slave_error_list.append('slave https-url %r invalid' % (slave['https-url'],)) %}
 {%     endif %}
 {%   endif %}

--- a/software/caddy-frontend/test/test.py
+++ b/software/caddy-frontend/test/test.py
@@ -6065,6 +6065,10 @@ class TestSlaveRejectReportUnsafeDamaged(SlaveHttpFrontendTestCase):
        'ssl-proxy-verify': True,
        'ssl_proxy_ca_crt': 'damaged',
      },
+      'bad-backend': {
+        'url': 'http://1:2:3:4',
+        'https-url': 'http://host.domain:badport',
+      },
      'custom_domain-unsafe': {
        'custom_domain': '${section:option} afterspace\nafternewline',
      },
@@ -6133,8 +6137,8 @@ class TestSlaveRejectReportUnsafeDamaged(SlaveHttpFrontendTestCase):
      'backend-client-caucase-url': 'http://[%s]:8990' % self._ipv6_address,
      'domain': 'example.com',
      'accepted-slave-amount': '7',
-      'rejected-slave-amount': '11',
-      'slave-amount': '18',
+      'rejected-slave-amount': '12',
+      'slave-amount': '19',
      'rejected-slave-dict': {
        '_https-url': ['slave https-url "https://[fd46::c2ae]:!py!u\'123123\'"'
                       ' invalid'],
@@ -6160,6 +6164,9 @@ class TestSlaveRejectReportUnsafeDamaged(SlaveHttpFrontendTestCase):
          "ssl_ca_crt is present, so ssl_crt and ssl_key are required"],
        '_ssl_key-ssl_crt-unsafe': [
          "slave ssl_key and ssl_crt does not match"],
+        '_bad-backend': [
+          "slave url 'http://1:2:3:4' invalid",
+          "slave https-url 'http://host.domain:badport' invalid"],
      },
      'warning-slave-dict': {
        '_ssl_ca_crt_only': [
@@ -6511,3 +6518,14 @@ class TestSlaveRejectReportUnsafeDamaged(SlaveHttpFrontendTestCase):
      },
      parameter_dict
    )
+
+  def test_bad_backend(self):
+    parameter_dict = self.parseSlaveParameterDict('bad-backend')
+    self.assertEqual(
+      {
+        'request-error-list': [
+          "slave url 'http://1:2:3:4' invalid",
+          "slave https-url 'http://host.domain:badport' invalid"],
+      },
+      parameter_dict
+    )