This is an automated email from the ASF dual-hosted git repository.
wenming pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git
The following commit(s) were added to refs/heads/master by this push:
new 9fc3833 fix: prevent being hacked by untrusted request_uri (#5458)
9fc3833 is described below
commit 9fc38330e82ce46e2aaabceef7d61708c91782db
Author: 罗泽轩 <[email protected]>
AuthorDate: Tue Nov 9 16:21:27 2021 +0800
fix: prevent being hacked by untrusted request_uri (#5458)
Thanks to Marcin Niemiec for the report.
Signed-off-by: spacewander <[email protected]>
---
apisix/core/ctx.lua | 8 +++++++-
apisix/init.lua | 6 ++++++
t/plugin/uri-blocker.t | 36 ++++++++++++++++++++++++++++++++++++
3 files changed, 49 insertions(+), 1 deletion(-)
diff --git a/apisix/core/ctx.lua b/apisix/core/ctx.lua
index fb77a37..30c7644 100644
--- a/apisix/core/ctx.lua
+++ b/apisix/core/ctx.lua
@@ -119,6 +119,12 @@ do
end
}
+ local no_cacheable_var_names = {
+ -- var.args should not be cached as it can be changed via set_uri_args
+ args = true,
+ is_args = true,
+ }
+
local ngx_var_names = {
upstream_scheme = true,
upstream_host = true,
@@ -224,7 +230,7 @@ do
val = get_var(key, t._request)
end
- if val ~= nil then
+ if val ~= nil and not no_cacheable_var_names[key] then
t._cache[key] = val
end
diff --git a/apisix/init.lua b/apisix/init.lua
index e875bb5..5ef855a 100644
--- a/apisix/init.lua
+++ b/apisix/init.lua
@@ -367,6 +367,12 @@ function _M.http_access_phase()
end
end
+ -- To prevent being hacked by untrusted request_uri, here we
+ -- record the normalized but not rewritten uri as request_uri,
+ -- the original request_uri can be accessed via var.real_request_uri
+ api_ctx.var.real_request_uri = api_ctx.var.request_uri
+ api_ctx.var.request_uri = api_ctx.var.uri .. api_ctx.var.is_args ..
(api_ctx.var.args or "")
+
if router.api.has_route_not_under_apisix() or
core.string.has_prefix(uri, "/apisix/")
then
diff --git a/t/plugin/uri-blocker.t b/t/plugin/uri-blocker.t
index 0d0bce8..2aee13e 100644
--- a/t/plugin/uri-blocker.t
+++ b/t/plugin/uri-blocker.t
@@ -485,3 +485,39 @@ GET /hello?aa=1
{"error_msg":"access is not allowed"}
--- no_error_log
[error]
+
+
+
+=== TEST 21: add block rule with anchor
+--- config
+location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/routes/1',
+ ngx.HTTP_PUT,
+ [[{
+ "plugins": {
+ "uri-blocker": {
+ "block_rules": ["^/internal/"]
+ }
+ },
+ "uri": "/internal/*"
+ }]])
+
+ if code >= 300 then
+ ngx.status = code
+ end
+ ngx.print(body)
+ }
+}
+--- request
+GET /t
+
+
+
+=== TEST 22: can't bypass with url without normalization
+--- request
+GET /./internal/x?aa=1
+--- error_code: 403
+--- no_error_log
+[error]
