From 19c2ea23af698cf112357d240b15fe4d1d2c5d33 Mon Sep 17 00:00:00 2001 From: Taufan Adhitya Date: Wed, 11 Sep 2024 18:49:51 +0700 Subject: [PATCH 01/13] feat: disabled filter logic --- controller.go | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/controller.go b/controller.go index 8b78cdaf..77adb228 100644 --- a/controller.go +++ b/controller.go @@ -755,13 +755,13 @@ func AuthProxy( // validate sub path forwardedPath := paths[1] - subPath := strings.Split(forwardedPath, "/") - if _, exist := allowedAuthPathMap[subPath[1]]; !exist { - ctx.Response.SetStatusCode(fasthttp.StatusNotFound) - errResponse := "{ \"messages\": \"resource not found\"}" - ctx.Response.SetBodyString(errResponse) - return - } + // subPath := strings.Split(forwardedPath, "/") + // if _, exist := allowedAuthPathMap[subPath[1]]; !exist { + // ctx.Response.SetStatusCode(fasthttp.StatusNotFound) + // errResponse := "{ \"messages\": \"resource not found\"}" + // ctx.Response.SetBodyString(errResponse) + // return + // } proxyUrl := fmt.Sprintf("%s/auth/v1%s", config.SupabasePublicUrl, forwardedPath) req.SetRequestURI(proxyUrl) From 8ce08d46360e091f2d38d924bad9d3ae12ff72fe Mon Sep 17 00:00:00 2001 From: Taufan Adhitya Date: Wed, 11 Sep 2024 18:56:50 +0700 Subject: [PATCH 02/13] fix: check both subpaths --- controller.go | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/controller.go b/controller.go index 77adb228..5ed7f116 100644 --- a/controller.go +++ b/controller.go @@ -755,13 +755,15 @@ func AuthProxy( // validate sub path forwardedPath := paths[1] - // subPath := strings.Split(forwardedPath, "/") - // if _, exist := allowedAuthPathMap[subPath[1]]; !exist { - // ctx.Response.SetStatusCode(fasthttp.StatusNotFound) - // errResponse := "{ \"messages\": \"resource not found\"}" - // ctx.Response.SetBodyString(errResponse) - // return - // } + subPath := strings.Split(forwardedPath, "/") + if _, exist0 := allowedAuthPathMap[subPath[0]]; !exist0 { + if _, exist1 := allowedAuthPathMap[subPath[1]]; !exist1 { + ctx.Response.SetStatusCode(fasthttp.StatusNotFound) + errResponse := "{ \"messages\": \"resource not found\"}" + ctx.Response.SetBodyString(errResponse) + return + } + } proxyUrl := fmt.Sprintf("%s/auth/v1%s", config.SupabasePublicUrl, forwardedPath) req.SetRequestURI(proxyUrl) From e19474386e2245a5ba762e0a794dd5272675e0d3 Mon Sep 17 00:00:00 2001 From: Taufan Adhitya Date: Wed, 11 Sep 2024 19:14:29 +0700 Subject: [PATCH 03/13] fix: remove potential queries or other excess --- controller.go | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/controller.go b/controller.go index 5ed7f116..c3e23805 100644 --- a/controller.go +++ b/controller.go @@ -755,9 +755,17 @@ func AuthProxy( // validate sub path forwardedPath := paths[1] - subPath := strings.Split(forwardedPath, "/") - if _, exist0 := allowedAuthPathMap[subPath[0]]; !exist0 { - if _, exist1 := allowedAuthPathMap[subPath[1]]; !exist1 { + parsedURL, err := url.Parse(forwardedPath) + if err != nil { + ctx.Response.SetStatusCode(fasthttp.StatusBadRequest) + errResponse := "{ \"messages\": \"invalid request\"}" + ctx.Response.SetBodyString(errResponse) + return + } + + segments := strings.Split(strings.Trim(parsedURL.Path, "/"), "/") + if _, exist0 := allowedAuthPathMap[segments[0]]; !exist0 { + if _, exist1 := allowedAuthPathMap[segments[1]]; !exist1 { ctx.Response.SetStatusCode(fasthttp.StatusNotFound) errResponse := "{ \"messages\": \"resource not found\"}" ctx.Response.SetBodyString(errResponse) From ce55e6732525c4d1d0748506f12bc34fc0906028 Mon Sep 17 00:00:00 2001 From: Taufan Adhitya Date: Wed, 11 Sep 2024 19:17:52 +0700 Subject: [PATCH 04/13] fix: check only first segment --- controller.go | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/controller.go b/controller.go index c3e23805..94b845c1 100644 --- a/controller.go +++ b/controller.go @@ -764,13 +764,11 @@ func AuthProxy( } segments := strings.Split(strings.Trim(parsedURL.Path, "/"), "/") - if _, exist0 := allowedAuthPathMap[segments[0]]; !exist0 { - if _, exist1 := allowedAuthPathMap[segments[1]]; !exist1 { - ctx.Response.SetStatusCode(fasthttp.StatusNotFound) - errResponse := "{ \"messages\": \"resource not found\"}" - ctx.Response.SetBodyString(errResponse) - return - } + if _, exist := allowedAuthPathMap[segments[0]]; !exist { + ctx.Response.SetStatusCode(fasthttp.StatusNotFound) + errResponse := "{ \"messages\": \"resource not found\"}" + ctx.Response.SetBodyString(errResponse) + return } proxyUrl := fmt.Sprintf("%s/auth/v1%s", config.SupabasePublicUrl, forwardedPath) From 1f9c59bd7a4e556b842b15ad599542cb66ba1e5a Mon Sep 17 00:00:00 2001 From: Taufan Adhitya Date: Wed, 11 Sep 2024 19:24:37 +0700 Subject: [PATCH 05/13] test: bad request on non-segmented path --- controller_test.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/controller_test.go b/controller_test.go index 9704033a..39c45c2a 100644 --- a/controller_test.go +++ b/controller_test.go @@ -355,11 +355,17 @@ func TestAuthProxy_NotAllowedPath(t *testing.T) { func(resp *fasthttp.Response) error { return nil }, ) + ctx.Request.SetRequestURI("/auth/v1/") + handler(ctx.RequestCtx) + assert.Equal(t, fasthttp.StatusBadRequest, ctx.Response.StatusCode()) + ctx.Request.SetRequestURI("/auth/v1/anymore") handler(ctx.RequestCtx) assert.Equal(t, fasthttp.StatusNotFound, ctx.Response.StatusCode()) } + + func TestAuthProxy_AllowedWithSpecificPath(t *testing.T) { ctx := &mock.MockContext{ RequestCtx: &fasthttp.RequestCtx{}, From 5d03ef3989992aa42188ed5f5ab79b4e3bf87f80 Mon Sep 17 00:00:00 2001 From: Taufan Adhitya Date: Wed, 11 Sep 2024 19:25:56 +0700 Subject: [PATCH 06/13] linter --- controller_test.go | 2 -- 1 file changed, 2 deletions(-) diff --git a/controller_test.go b/controller_test.go index 39c45c2a..8a16ceb3 100644 --- a/controller_test.go +++ b/controller_test.go @@ -364,8 +364,6 @@ func TestAuthProxy_NotAllowedPath(t *testing.T) { assert.Equal(t, fasthttp.StatusNotFound, ctx.Response.StatusCode()) } - - func TestAuthProxy_AllowedWithSpecificPath(t *testing.T) { ctx := &mock.MockContext{ RequestCtx: &fasthttp.RequestCtx{}, From 2b92307c938a46970bfba9431d71a0729f620c9c Mon Sep 17 00:00:00 2001 From: Taufan Adhitya Date: Wed, 11 Sep 2024 19:27:37 +0700 Subject: [PATCH 07/13] test: bad request on non-segmented path --- controller_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controller_test.go b/controller_test.go index 8a16ceb3..b1e8872e 100644 --- a/controller_test.go +++ b/controller_test.go @@ -355,7 +355,7 @@ func TestAuthProxy_NotAllowedPath(t *testing.T) { func(resp *fasthttp.Response) error { return nil }, ) - ctx.Request.SetRequestURI("/auth/v1/") + ctx.Request.SetRequestURI("/auth/v1/-") handler(ctx.RequestCtx) assert.Equal(t, fasthttp.StatusBadRequest, ctx.Response.StatusCode()) From 030f10b122687ff7d81c499f01d3483fb70cfeef Mon Sep 17 00:00:00 2001 From: Taufan Adhitya Date: Wed, 11 Sep 2024 19:31:20 +0700 Subject: [PATCH 08/13] test: bad request on non-segmented path --- controller_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controller_test.go b/controller_test.go index b1e8872e..55e0ea54 100644 --- a/controller_test.go +++ b/controller_test.go @@ -355,7 +355,7 @@ func TestAuthProxy_NotAllowedPath(t *testing.T) { func(resp *fasthttp.Response) error { return nil }, ) - ctx.Request.SetRequestURI("/auth/v1/-") + ctx.Request.SetRequestURI("/auth/v1/://-invalid-ones") handler(ctx.RequestCtx) assert.Equal(t, fasthttp.StatusBadRequest, ctx.Response.StatusCode()) From 6bddc2f2158742a11ea7c94b6b9ad5631dccd9f9 Mon Sep 17 00:00:00 2001 From: Taufan Adhitya Date: Wed, 11 Sep 2024 19:36:26 +0700 Subject: [PATCH 09/13] test: bad request on non-segmented path --- controller_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controller_test.go b/controller_test.go index 55e0ea54..6de12b6d 100644 --- a/controller_test.go +++ b/controller_test.go @@ -355,7 +355,7 @@ func TestAuthProxy_NotAllowedPath(t *testing.T) { func(resp *fasthttp.Response) error { return nil }, ) - ctx.Request.SetRequestURI("/auth/v1/://-invalid-ones") + ctx.Request.SetRequestURI("/auth/v1/://invalid-url") handler(ctx.RequestCtx) assert.Equal(t, fasthttp.StatusBadRequest, ctx.Response.StatusCode()) From f153091a9f80a20dcd90e0e7d0faa880babd2ee6 Mon Sep 17 00:00:00 2001 From: Taufan Adhitya Date: Wed, 11 Sep 2024 19:38:46 +0700 Subject: [PATCH 10/13] test: bad request on non-segmented path --- controller_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controller_test.go b/controller_test.go index 6de12b6d..1d8b4525 100644 --- a/controller_test.go +++ b/controller_test.go @@ -355,7 +355,7 @@ func TestAuthProxy_NotAllowedPath(t *testing.T) { func(resp *fasthttp.Response) error { return nil }, ) - ctx.Request.SetRequestURI("/auth/v1/://invalid-url") + ctx.Request.SetRequestURI("/auth/v1/ %gh&%ij") handler(ctx.RequestCtx) assert.Equal(t, fasthttp.StatusBadRequest, ctx.Response.StatusCode()) From 7af753481e3fa90e53e9e85116c394812d2817d9 Mon Sep 17 00:00:00 2001 From: Taufan Adhitya Date: Wed, 11 Sep 2024 19:41:08 +0700 Subject: [PATCH 11/13] test: bad request on non-segmented path --- controller_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controller_test.go b/controller_test.go index 1d8b4525..cba5d5e5 100644 --- a/controller_test.go +++ b/controller_test.go @@ -355,7 +355,7 @@ func TestAuthProxy_NotAllowedPath(t *testing.T) { func(resp *fasthttp.Response) error { return nil }, ) - ctx.Request.SetRequestURI("/auth/v1/ %gh&%ij") + ctx.Request.SetRequestURI("/auth/v1/%zz_invalid_escape_sequence") handler(ctx.RequestCtx) assert.Equal(t, fasthttp.StatusBadRequest, ctx.Response.StatusCode()) From da24b82e07e1e6e1476998db4e66187a98cc95ee Mon Sep 17 00:00:00 2001 From: Taufan Adhitya Date: Wed, 11 Sep 2024 19:43:42 +0700 Subject: [PATCH 12/13] test: bad request on non-segmented path --- controller_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controller_test.go b/controller_test.go index cba5d5e5..6bd91545 100644 --- a/controller_test.go +++ b/controller_test.go @@ -355,7 +355,7 @@ func TestAuthProxy_NotAllowedPath(t *testing.T) { func(resp *fasthttp.Response) error { return nil }, ) - ctx.Request.SetRequestURI("/auth/v1/%zz_invalid_escape_sequence") + ctx.Request.SetRequestURI("/auth/v1/invalid\x00url") handler(ctx.RequestCtx) assert.Equal(t, fasthttp.StatusBadRequest, ctx.Response.StatusCode()) From d5d51577593e613e3866b6eec58036e4ac4b14ab Mon Sep 17 00:00:00 2001 From: Taufan Adhitya Date: Wed, 11 Sep 2024 20:17:19 +0700 Subject: [PATCH 13/13] test: fix test --- controller.go | 9 +-------- controller_test.go | 4 ---- 2 files changed, 1 insertion(+), 12 deletions(-) diff --git a/controller.go b/controller.go index 94b845c1..8dabedd9 100644 --- a/controller.go +++ b/controller.go @@ -755,14 +755,7 @@ func AuthProxy( // validate sub path forwardedPath := paths[1] - parsedURL, err := url.Parse(forwardedPath) - if err != nil { - ctx.Response.SetStatusCode(fasthttp.StatusBadRequest) - errResponse := "{ \"messages\": \"invalid request\"}" - ctx.Response.SetBodyString(errResponse) - return - } - + parsedURL, _ := url.Parse(forwardedPath) segments := strings.Split(strings.Trim(parsedURL.Path, "/"), "/") if _, exist := allowedAuthPathMap[segments[0]]; !exist { ctx.Response.SetStatusCode(fasthttp.StatusNotFound) diff --git a/controller_test.go b/controller_test.go index 6bd91545..9704033a 100644 --- a/controller_test.go +++ b/controller_test.go @@ -355,10 +355,6 @@ func TestAuthProxy_NotAllowedPath(t *testing.T) { func(resp *fasthttp.Response) error { return nil }, ) - ctx.Request.SetRequestURI("/auth/v1/invalid\x00url") - handler(ctx.RequestCtx) - assert.Equal(t, fasthttp.StatusBadRequest, ctx.Response.StatusCode()) - ctx.Request.SetRequestURI("/auth/v1/anymore") handler(ctx.RequestCtx) assert.Equal(t, fasthttp.StatusNotFound, ctx.Response.StatusCode())