Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

eoshttp: explicitely quote # sign. Url parsing review #4305

Closed
wants to merge 1 commit into from
Closed
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
47 changes: 27 additions & 20 deletions pkg/eosclient/eosgrpc/eoshttp.go
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@
"net/url"
"os"
"strconv"
"strings"
"time"

"github.com/cs3org/reva/pkg/appctx"
Expand Down Expand Up @@ -232,33 +233,36 @@
return errtypes.InternalError("Err from EOS: " + rspdesc(rsp))
}

// From the basepath and the file path... build an url.
// From the basepath and the file path... build an url

Check failure on line 236 in pkg/eosclient/eosgrpc/eoshttp.go

View workflow job for this annotation

GitHub Actions / lint

Comment should end in a period (godot)

Check failure on line 236 in pkg/eosclient/eosgrpc/eoshttp.go

View workflow job for this annotation

GitHub Actions / lint

Comment should end in a period (godot)
func (c *EOSHTTPClient) buildFullURL(urlpath string, auth eosclient.Authorization) (string, error) {
u, err := url.Parse(c.opt.BaseURL)
if err != nil {
return "", err
}

u, err = u.Parse(url.PathEscape(urlpath))
if err != nil {
return "", err
// Prohibit malicious users from injecting a false uid/gid into the url
pos := strings.Index(urlpath, "?")
if pos >= 0 {
if strings.Index(urlpath, "eos.ruid") > pos || strings.Index(urlpath, "eos.rgid") > pos {
return "", errtypes.PermissionDenied("Illegal malicious url " + urlpath)
}
}

// Prohibit malicious users from injecting a false uid/gid into the url
v := u.Query()
if v.Get("eos.ruid") != "" || v.Get("eos.rgid") != "" {
return "", errtypes.PermissionDenied("Illegal malicious url " + urlpath)
fullurl := strings.TrimRight(c.opt.BaseURL, "/")
fullurl += "/"
fullurl += strings.TrimLeft(urlpath, "/")

if pos < 0 {
fullurl += "?"
}

if len(auth.Role.UID) > 0 {
v.Set("eos.ruid", auth.Role.UID)
if auth.Role.UID != "" {
fullurl += fmt.Sprintf("eos.ruid=%s&eos.rgid=%s", auth.Role.UID, auth.Role.GID)
}
if len(auth.Role.GID) > 0 {
v.Set("eos.rgid", auth.Role.GID)

u, err := url.Parse(fullurl)
if err != nil {
return "", errtypes.PermissionDenied("Could not parse url " + urlpath)
}

u.RawQuery = v.Encode()
return u.String(), nil
final := strings.ReplaceAll(u.String(), "#", "%23")
return final, nil
}

// GETFile does an entire GET to download a full file. Returns a stream to read the content from.
Expand All @@ -272,6 +276,7 @@
log.Error().Str("func", "GETFile").Str("url", finalurl).Str("err", err.Error()).Msg("can't create request")
return nil, err
}
log.Debug().Str("func", "GETFile").Str("url", finalurl).Msg("")
req, err := http.NewRequestWithContext(ctx, http.MethodGet, finalurl, nil)
if err != nil {
log.Error().Str("func", "GETFile").Str("url", finalurl).Str("err", err.Error()).Msg("can't create request")
Expand All @@ -293,7 +298,7 @@
}

// Execute the request. I don't like that there is no explicit timeout or buffer control on the input stream
log.Debug().Str("func", "GETFile").Msg("sending req")
log.Debug().Str("func", "GETFile").Str("finalurl", finalurl).Msg("sending req")

resp, err := c.doReq(req, remoteuser)

Expand All @@ -308,7 +313,9 @@
return nil, err
}

req, err = http.NewRequestWithContext(ctx, http.MethodGet, loc.String(), nil)
// Very special case for eos file versions
final := strings.ReplaceAll(loc.String(), "#", "%23")
req, err = http.NewRequestWithContext(ctx, http.MethodGet, final, nil)
if err != nil {
log.Error().Str("func", "GETFile").Str("url", loc.String()).Str("err", err.Error()).Msg("can't create redirected request")
return nil, err
Expand Down
Loading