3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-06-02 02:42:57 +02:00
Code Issues Projects Releases Packages Wiki Activity

authorize,proxy: remove support for paths within the from parameter

Browse source
This commit is contained in:
Caleb Doxsey 2020-04-16 16:00:00 -06:00 committed by Caleb Doxsey
parent 5ad0e0ebdc
commit 85a1a6d013
5 changed files with 6 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

1
authorize/evaluator/opa/policy/authz.rego
View file

@ -74,7 +74,6 @@ allowed_route_source(input_url_obj, policy) {
object.get(policy, "source", "") != "" object.get(policy, "source", "") != ""
source_url_obj := parse_url(policy.source) source_url_obj := parse_url(policy.source)
input_url_obj.host == source_url_obj.host input_url_obj.host == source_url_obj.host
startswith(input_url_obj.path, source_url_obj.path)
} }
allowed_route_prefix(input_url_obj, policy) { allowed_route_prefix(input_url_obj, policy) {

3
authorize/evaluator/opa/policy/authz_test.rego
View file

@ -54,9 +54,6 @@ test_allowed_route_source {
allowed_route("http://example.com", {"source": "http://example.com"}) allowed_route("http://example.com", {"source": "http://example.com"})
allowed_route("http://example.com", {"source": "https://example.com"}) allowed_route("http://example.com", {"source": "https://example.com"})
not allowed_route("http://example.org", {"source": "example.com"}) not allowed_route("http://example.org", {"source": "example.com"})
allowed_route("http://example.com/some/path", {"source": "https://example.com/some/path"})
allowed_route("http://example.com/some/path", {"source": "https://example.com/some/path?qs"})
not allowed_route("http://example.com/some/other/path", {"source": "https://example.com/some/path"})
} }
test_allowed_route_prefix { test_allowed_route_prefix {

2
authorize/evaluator/opa/policy/statik.go
View file

File diff suppressed because one or more lines are too long

7
proxy/proxy.go
View file

@ -330,10 +330,13 @@ func (p *Proxy) ServeHTTP(w http.ResponseWriter, r *http.Request) {
// //
// Routes can be filtered by the `source`, `prefix`, `path` and `regex` fields in the policy config. // Routes can be filtered by the `source`, `prefix`, `path` and `regex` fields in the policy config.
func routeMatcherFuncFromPolicy(policy config.Policy) mux.MatcherFunc { func routeMatcherFuncFromPolicy(policy config.Policy) mux.MatcherFunc {
if !(policy.Source.Path == "" || policy.Source.Path == "/") {
log.Warn().Str("source", policy.Source.String()).Msg("proxy: dropping path from %v, should be set using path key")
}
// match by source // match by source
sourceMatches := func(r *http.Request) bool { sourceMatches := func(r *http.Request) bool {
return r.Host == policy.Source.Host && return r.Host == policy.Source.Host
strings.HasPrefix(r.URL.Path, policy.Source.Path)
} }
// match by prefix // match by prefix

8
proxy/proxy_test.go
View file

@ -292,14 +292,6 @@ func TestRouteMatcherFuncFromPolicy(t *testing.T) {
"https://www.google.com", false, "https://www.google.com", false,
"should not match when host is different from source host"}, "should not match when host is different from source host"},
// path prefix in source
{"https://www.example.com/admin", "", "", "",
"https://www.example.com/admin/someaction", true,
"should match when path begins with source path"},
{"https://www.example.com/admin", "", "", "",
"https://www.example.com/notadmin", false,
"should not match when path does not begin with source path"},
// path prefix // path prefix
{"https://www.example.com", "/admin", "", "", {"https://www.example.com", "/admin", "", "",
"https://www.example.com/admin/someaction", true, "https://www.example.com/admin/someaction", true,