path: Fix merge slash for paths ending with slash and present query args #10922
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 3 commits
April 23, 2020 15:39
|
@jmarantz Can you have a look, please? |
jmarantz
approved these changes
Apr 24, 2020
| const absl::string_view path_suffix = absl::EndsWith(path, "/") ? "/" : absl::string_view(); | ||
| headers.setPath(absl::StrCat(path_prefix, | ||
| absl::StrJoin(absl::StrSplit(path, '/', absl::SkipEmpty()), "/"), | ||
| path_suffix, query)); |
There was a problem hiding this comment.
TBH this transform scares me from a security perspective, but I guess it's off by default so someone has to consciously enable it.
@htuch for visibility and @envoyproxy/senior-maintainers pass
At a glance it looks fine.
There was a problem hiding this comment.
Yeah, it seems this could be a source of potential vulnerability if enabled. @euroelessar do you think this is worth a security advisory? This is all tempered by this not being RFC mandated behavior.
mattklein123
approved these changes
Apr 24, 2020
spenceral
added a commit
to spenceral/envoy
that referenced
this pull request
Apr 27, 2020
Signed-off-by: Spencer Lewis <slewis@squareup.com> * master: fault injection: add support for setting gRPC status (envoyproxy#10841) tests: tag tests that fail on Windows with fails_on_windows (envoyproxy#10940) Fix typo on Postgres Proxy documentation. (envoyproxy#10930) fuzz: improve header/data stop/continue modeling in HCM fuzzer. (envoyproxy#10931) gzip filter: allow setting zlib compressor's chunk size (envoyproxy#10508) http: replace vector/reserve with InlinedVector in codec helper (envoyproxy#10941) stats: add utilities to create stats from a vector of tokens, mixing dynamic and symbolic elements. (envoyproxy#10735) hcm: avoid invoking 100-continue handling on decode filter. (envoyproxy#10929) prometheus stats: Correctly group lines of the same metric name. (envoyproxy#10833) status: Fix ASAN error in Status payload handling (envoyproxy#10906) path: Fix merge slash for paths ending with slash and present query args (envoyproxy#10922) compressor filter: add benchmark (envoyproxy#10464) xray: expected_span_name is not captured by the lambda with MSVC (envoyproxy#10934) ci: update before purge in cleanup (envoyproxy#10938) tracer: Improve test coverage for x-ray (envoyproxy#10890) Revert "init: order dynamic resource initialization to make RTDS always be first (envoyproxy#10362)" (envoyproxy#10919)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Commit Message: Order of path suffix and query string was wrong, so the ending slash was moved to a query. Tests did not cover this scenario so add a new one.
Additional Description: n/a
Risk Level: low (bug fix)
Testing: added unit test
Docs Changes: n/a
Release Notes: added
Fixes #10912