Commit 7b5b1967 authored by Łukasz Nowak's avatar Łukasz Nowak

software/rapid-cdn: Protect against rouge websocket-path-list

parent f38eda19
......@@ -30,7 +30,7 @@ md5sum = 3006197ddce87bd92866b76b5ce8ce08
[profile-slave-list]
filename = instance-slave-list.cfg.in
md5sum = f6b3d4c6502cc0fa3a5021e436b4771b
md5sum = 8289620cb32dbdfcca6ba112c7ec7b2b
[profile-master-publish-slave-information]
filename = instance-master-publish-slave-information.cfg.in
......
......@@ -247,7 +247,7 @@ context =
{%- endif %}
{%- endif %}
{%- set websocket_path_list = [] %}
{%- for websocket_path in slave_instance.get('websocket-path-list', '').split() %}
{%- for websocket_path in ('' ~ (slave_instance.get('websocket-path-list', '')) or '').split() %}
{%- set websocket_path = websocket_path.strip('/') %}
{#- Unquote the path, so %20 and similar can be represented correctly #}
{%- set websocket_path = urllib_module.parse.unquote(websocket_path.strip()) %}
......
......@@ -1799,6 +1799,23 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin, AtsMixin):
'type': 'websocket',
'websocket-path-list': '////ws//// /with%20space/',
},
'type-websocket-websocket-path-list-none': {
'url': cls.backend_url,
'type': 'websocket',
# Note: With reference SlapOS Master requesting
# 'websocket-path-list': '' leads to a problem, as the value for
# the partition is None (type: None), but with slapproxy it is
# required to use None (type: None) in the **request** to lead
# to the same problem. See also
# type-websocket-websocket-path-list-empty
'websocket-path-list': None,
},
'type-websocket-websocket-path-list-empty': {
'url': cls.backend_url,
'type': 'websocket',
# Note: See also type-websocket-websocket-path-list-none
'websocket-path-list': '',
},
'type-websocket-websocket-transparent-false': {
'url': cls.backend_url,
'type': 'websocket',
......@@ -2084,9 +2101,9 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin, AtsMixin):
'monitor-base-url': 'https://[%s]:8401' % self._ipv6_address,
'backend-client-caucase-url': 'http://[%s]:8990' % self._ipv6_address,
'domain': 'example.com',
'accepted-slave-amount': '60',
'accepted-slave-amount': '62',
'rejected-slave-amount': '0',
'slave-amount': '60',
'slave-amount': '62',
'rejected-slave-dict': {
},
'warning-slave-dict': {
......@@ -3293,12 +3310,9 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin, AtsMixin):
self.assertTrue('x-real-ip' in j['Incoming Headers'])
self.assertHttp1(parameter_dict['domain'])
def test_type_websocket(self):
parameter_dict = self.assertSlaveBase(
'type-websocket')
def _test_type_websocket(self, parameter_dict, path='test-path'):
result = fakeHTTPSResult(
parameter_dict['domain'], 'test-path',
parameter_dict['domain'], path,
headers={'Connection': 'Upgrade'})
self.assertEqual(
......@@ -3308,7 +3322,7 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin, AtsMixin):
self.assertEqualResultJson(
result,
'Path',
'/test-path'
'/' + path
)
try:
j = result.json()
......@@ -3323,6 +3337,17 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin, AtsMixin):
self.assertTrue('x-real-ip' in j['Incoming Headers'])
self.assertHttp1(parameter_dict['domain'])
def test_type_websocket(self):
self._test_type_websocket(self.assertSlaveBase('type-websocket'))
def test_type_websocket_websocket_path_list_none(self):
self._test_type_websocket(self.assertSlaveBase(
'type-websocket-websocket-path-list-none'), 'None')
def test_type_websocket_websocket_path_list_empty(self):
self._test_type_websocket(self.assertSlaveBase(
'type-websocket-websocket-path-list-empty'))
def test_type_websocket_websocket_transparent_false(self):
parameter_dict = self.assertSlaveBase(
'type-websocket-websocket-transparent-false')
......
......@@ -141,6 +141,12 @@ T-2/var/log/httpd/_type-redirect-custom_domain_access_log
T-2/var/log/httpd/_type-redirect-custom_domain_frontend_log
T-2/var/log/httpd/_type-redirect_access_log
T-2/var/log/httpd/_type-redirect_frontend_log
T-2/var/log/httpd/_type-websocket-websocket-path-list-empty_access_log
T-2/var/log/httpd/_type-websocket-websocket-path-list-empty_backend_log
T-2/var/log/httpd/_type-websocket-websocket-path-list-empty_frontend_log
T-2/var/log/httpd/_type-websocket-websocket-path-list-none_access_log
T-2/var/log/httpd/_type-websocket-websocket-path-list-none_backend_log
T-2/var/log/httpd/_type-websocket-websocket-path-list-none_frontend_log
T-2/var/log/httpd/_type-websocket-websocket-path-list-websocket-transparent-false_access_log
T-2/var/log/httpd/_type-websocket-websocket-path-list-websocket-transparent-false_backend_log
T-2/var/log/httpd/_type-websocket-websocket-path-list-websocket-transparent-false_frontend_log
......
......@@ -141,6 +141,12 @@ T-2/var/log/httpd/_type-redirect-custom_domain_access_log
T-2/var/log/httpd/_type-redirect-custom_domain_frontend_log
T-2/var/log/httpd/_type-redirect_access_log
T-2/var/log/httpd/_type-redirect_frontend_log
T-2/var/log/httpd/_type-websocket-websocket-path-list-empty_access_log
T-2/var/log/httpd/_type-websocket-websocket-path-list-empty_backend_log
T-2/var/log/httpd/_type-websocket-websocket-path-list-empty_frontend_log
T-2/var/log/httpd/_type-websocket-websocket-path-list-none_access_log
T-2/var/log/httpd/_type-websocket-websocket-path-list-none_backend_log
T-2/var/log/httpd/_type-websocket-websocket-path-list-none_frontend_log
T-2/var/log/httpd/_type-websocket-websocket-path-list-websocket-transparent-false_access_log
T-2/var/log/httpd/_type-websocket-websocket-path-list-websocket-transparent-false_backend_log
T-2/var/log/httpd/_type-websocket-websocket-path-list-websocket-transparent-false_frontend_log
......
......@@ -141,6 +141,12 @@ T-2/var/log/httpd/_type-redirect-custom_domain_access_log
T-2/var/log/httpd/_type-redirect-custom_domain_frontend_log
T-2/var/log/httpd/_type-redirect_access_log
T-2/var/log/httpd/_type-redirect_frontend_log
T-2/var/log/httpd/_type-websocket-websocket-path-list-empty_access_log
T-2/var/log/httpd/_type-websocket-websocket-path-list-empty_backend_log
T-2/var/log/httpd/_type-websocket-websocket-path-list-empty_frontend_log
T-2/var/log/httpd/_type-websocket-websocket-path-list-none_access_log
T-2/var/log/httpd/_type-websocket-websocket-path-list-none_backend_log
T-2/var/log/httpd/_type-websocket-websocket-path-list-none_frontend_log
T-2/var/log/httpd/_type-websocket-websocket-path-list-websocket-transparent-false_access_log
T-2/var/log/httpd/_type-websocket-websocket-path-list-websocket-transparent-false_backend_log
T-2/var/log/httpd/_type-websocket-websocket-path-list-websocket-transparent-false_frontend_log
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment