Skip to content

Commit 067c09f

Browse files
authored
fix(agent): validate request path before forwarding to ExApp (#105)
Signed-off-by: Oleksander Piskun <oleksandr2088@icloud.com>
1 parent e0079d1 commit 067c09f

1 file changed

Lines changed: 8 additions & 0 deletions

File tree

haproxy_agent.py

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,9 @@
2929
from pydantic import BaseModel, Field, ValidationError, computed_field, model_validator
3030

3131
APPID_PATTERN = re.compile(r"(?:^|/)exapps/([^/]+)")
32+
# Matches `..` path segments in any literal/encoded form: separators can be `/` or %2F,
33+
# the dots themselves can be `.` or %2E (any case combination, e.g. `..`, `%2e.`, `%2E%2e`).
34+
DOT_DOT_SEGMENT_PATTERN = re.compile(r"(?:^|/|%2[fF])(?:\.|%2[eE]){2}(?:/|%2[fF]|$)")
3235
SHARED_KEY = os.environ.get("HP_SHARED_KEY")
3336
NC_INSTANCE_URL = os.environ.get("NC_INSTANCE_URL")
3437
SPOA_ADDRESS = os.environ.get("HP_SPOA_ADDRESS", "127.0.0.1:9600")
@@ -395,6 +398,11 @@ async def exapps_msg(
395398
LOGGER.warning("IP %s is banned due to excessive failed attempts.", client_ip_str)
396399
return reply.set_txn_var("bad_request", 1)
397400

401+
if DOT_DOT_SEGMENT_PATTERN.search(path):
402+
LOGGER.warning("Rejecting path with parent-directory segment: %s (client_ip=%s)", path, client_ip_str)
403+
await record_failure_unless_trusted(client_ip_str, request_headers)
404+
return reply.set_txn_var("bad_request", 1)
405+
398406
match = APPID_PATTERN.search(path)
399407
if not match:
400408
LOGGER.error("Invalid request path, cannot find AppID: %s", path)

0 commit comments

Comments
 (0)