From f844160fb773316022fd08bbf7706fa719018b95 Mon Sep 17 00:00:00 2001 From: Bogdan U Date: Sat, 16 Apr 2022 10:34:09 +0300 Subject: [PATCH] chore: security improvement (#203) --- .github/workflows/ci.yml | 2 +- swagger.go | 5 +++ swagger_test.go | 87 +++++++++++++++++----------------------- 3 files changed, 43 insertions(+), 51 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 17ebad4..808f9a6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -10,7 +10,7 @@ jobs: test: strategy: matrix: - go: [ '1.15.x', '1.16.x', '1.17.x' ] + go: [ '1.15.x', '1.16.x', '1.17.x', '1.18.x' ] runs-on: ubuntu-latest steps: - uses: actions/checkout@master diff --git a/swagger.go b/swagger.go index b3aceea..6178fa8 100644 --- a/swagger.go +++ b/swagger.go @@ -134,6 +134,11 @@ func CustomWrapHandler(config *Config, handler *webdav.Handler) gin.HandlerFunc var rexp = regexp.MustCompile(`(.*)(index\.html|doc\.json|favicon-16x16\.png|favicon-32x32\.png|/oauth2-redirect\.html|swagger-ui\.css|swagger-ui\.css\.map|swagger-ui\.js|swagger-ui\.js\.map|swagger-ui-bundle\.js|swagger-ui-bundle\.js\.map|swagger-ui-standalone-preset\.js|swagger-ui-standalone-preset\.js\.map)[\?|.]*`) return func(c *gin.Context) { + if c.Request.Method != http.MethodGet { + c.AbortWithStatus(http.StatusMethodNotAllowed) + return + } + matches := rexp.FindStringSubmatch(c.Request.RequestURI) if len(matches) != 3 { diff --git a/swagger_test.go b/swagger_test.go index 85a51da..3d998e8 100644 --- a/swagger_test.go +++ b/swagger_test.go @@ -1,6 +1,7 @@ package ginSwagger import ( + "net/http" "net/http/httptest" "os" "testing" @@ -26,43 +27,44 @@ func TestWrapHandler(t *testing.T) { router.GET("/*any", WrapHandler(swaggerFiles.Handler, URL("https://github.com/swaggo/gin-swagger"))) - w1 := performRequest("GET", "/index.html", router) - assert.Equal(t, 200, w1.Code) + assert.Equal(t, http.StatusOK, performRequest("GET", "/index.html", router).Code) } func TestWrapCustomHandler(t *testing.T) { gin.SetMode(gin.TestMode) router := gin.New() - router.GET("/*any", CustomWrapHandler(&Config{}, swaggerFiles.Handler)) + router.Any("/*any", CustomWrapHandler(&Config{}, swaggerFiles.Handler)) - w1 := performRequest("GET", "/index.html", router) - assert.Equal(t, 200, w1.Code) + w1 := performRequest(http.MethodGet, "/index.html", router) + assert.Equal(t, http.StatusOK, w1.Code) assert.Equal(t, w1.Header()["Content-Type"][0], "text/html; charset=utf-8") - w2 := performRequest("GET", "/doc.json", router) - assert.Equal(t, 500, w2.Code) + assert.Equal(t, http.StatusInternalServerError, performRequest(http.MethodGet, "/doc.json", router).Code) swag.Register(swag.Name, &mockedSwag{}) - w2 = performRequest("GET", "/doc.json", router) - assert.Equal(t, 200, w2.Code) + w2 := performRequest(http.MethodGet, "/doc.json", router) + assert.Equal(t, http.StatusOK, w2.Code) + assert.Equal(t, w2.Header()["Content-Type"][0], "application/json; charset=utf-8") - w3 := performRequest("GET", "/favicon-16x16.png", router) - assert.Equal(t, 200, w3.Code) + w3 := performRequest(http.MethodGet, "/favicon-16x16.png", router) + assert.Equal(t, http.StatusOK, w3.Code) assert.Equal(t, w3.Header()["Content-Type"][0], "image/png") - w4 := performRequest("GET", "/swagger-ui.css", router) - assert.Equal(t, 200, w4.Code) + w4 := performRequest(http.MethodGet, "/swagger-ui.css", router) + assert.Equal(t, http.StatusOK, w4.Code) assert.Equal(t, w4.Header()["Content-Type"][0], "text/css; charset=utf-8") - w5 := performRequest("GET", "/swagger-ui-bundle.js", router) - assert.Equal(t, 200, w5.Code) + w5 := performRequest(http.MethodGet, "/swagger-ui-bundle.js", router) + assert.Equal(t, http.StatusOK, w5.Code) assert.Equal(t, w5.Header()["Content-Type"][0], "application/javascript") - w6 := performRequest("GET", "/notfound", router) - assert.Equal(t, 404, w6.Code) + assert.Equal(t, http.StatusNotFound, performRequest(http.MethodGet, "/notfound", router).Code) + assert.Equal(t, http.StatusMethodNotAllowed, performRequest(http.MethodPost, "/index.html", router).Code) + + assert.Equal(t, http.StatusMethodNotAllowed, performRequest(http.MethodPut, "/index.html", router).Code) } func TestDisablingWrapHandler(t *testing.T) { @@ -73,33 +75,20 @@ func TestDisablingWrapHandler(t *testing.T) { router.GET("/simple/*any", DisablingWrapHandler(swaggerFiles.Handler, disablingKey)) - w1 := performRequest("GET", "/simple/index.html", router) - assert.Equal(t, 200, w1.Code) - - w2 := performRequest("GET", "/simple/doc.json", router) - assert.Equal(t, 200, w2.Code) - - w3 := performRequest("GET", "/simple/favicon-16x16.png", router) - assert.Equal(t, 200, w3.Code) + assert.Equal(t, http.StatusOK, performRequest(http.MethodGet, "/simple/index.html", router).Code) + assert.Equal(t, http.StatusOK, performRequest(http.MethodGet, "/simple/doc.json", router).Code) - w4 := performRequest("GET", "/simple/notfound", router) - assert.Equal(t, 404, w4.Code) + assert.Equal(t, http.StatusOK, performRequest(http.MethodGet, "/simple/favicon-16x16.png", router).Code) + assert.Equal(t, http.StatusNotFound, performRequest(http.MethodGet, "/simple/notfound", router).Code) _ = os.Setenv(disablingKey, "true") router.GET("/disabling/*any", DisablingWrapHandler(swaggerFiles.Handler, disablingKey)) - w11 := performRequest("GET", "/disabling/index.html", router) - assert.Equal(t, 404, w11.Code) - - w22 := performRequest("GET", "/disabling/doc.json", router) - assert.Equal(t, 404, w22.Code) - - w44 := performRequest("GET", "/disabling/oauth2-redirect.html", router) - assert.Equal(t, 404, w44.Code) - - w55 := performRequest("GET", "/disabling/notfound", router) - assert.Equal(t, 404, w55.Code) + assert.Equal(t, 404, performRequest(http.MethodGet, "/disabling/index.html", router).Code) + assert.Equal(t, 404, performRequest(http.MethodGet, "/disabling/doc.json", router).Code) + assert.Equal(t, 404, performRequest(http.MethodGet, "/disabling/oauth2-redirect.html", router).Code) + assert.Equal(t, 404, performRequest(http.MethodGet, "/disabling/notfound", router).Code) } func TestDisablingCustomWrapHandler(t *testing.T) { @@ -110,15 +99,13 @@ func TestDisablingCustomWrapHandler(t *testing.T) { router.GET("/simple/*any", DisablingCustomWrapHandler(&Config{}, swaggerFiles.Handler, disablingKey)) - w1 := performRequest("GET", "/simple/index.html", router) - assert.Equal(t, 200, w1.Code) + assert.Equal(t, http.StatusOK, performRequest(http.MethodGet, "/simple/index.html", router).Code) _ = os.Setenv(disablingKey, "true") router.GET("/disabling/*any", DisablingCustomWrapHandler(&Config{}, swaggerFiles.Handler, disablingKey)) - w11 := performRequest("GET", "/disabling/index.html", router) - assert.Equal(t, 404, w11.Code) + assert.Equal(t, http.StatusNotFound, performRequest(http.MethodGet, "/disabling/index.html", router).Code) } func TestWithGzipMiddleware(t *testing.T) { @@ -129,20 +116,20 @@ func TestWithGzipMiddleware(t *testing.T) { router.GET("/*any", WrapHandler(swaggerFiles.Handler)) - w1 := performRequest("GET", "/index.html", router) - assert.Equal(t, 200, w1.Code) + w1 := performRequest(http.MethodGet, "/index.html", router) + assert.Equal(t, http.StatusOK, w1.Code) assert.Equal(t, w1.Header()["Content-Type"][0], "text/html; charset=utf-8") - w2 := performRequest("GET", "/swagger-ui.css", router) - assert.Equal(t, 200, w2.Code) + w2 := performRequest(http.MethodGet, "/swagger-ui.css", router) + assert.Equal(t, http.StatusOK, w2.Code) assert.Equal(t, w2.Header()["Content-Type"][0], "text/css; charset=utf-8") - w3 := performRequest("GET", "/swagger-ui-bundle.js", router) - assert.Equal(t, 200, w3.Code) + w3 := performRequest(http.MethodGet, "/swagger-ui-bundle.js", router) + assert.Equal(t, http.StatusOK, w3.Code) assert.Equal(t, w3.Header()["Content-Type"][0], "application/javascript") - w4 := performRequest("GET", "/doc.json", router) - assert.Equal(t, 200, w4.Code) + w4 := performRequest(http.MethodGet, "/doc.json", router) + assert.Equal(t, http.StatusOK, w4.Code) assert.Equal(t, w4.Header()["Content-Type"][0], "application/json; charset=utf-8") }