From 82b6c33c2554616ef056e24fab4bb7baceaf47fc Mon Sep 17 00:00:00 2001 From: Manuel de Brito Fontes Date: Thu, 5 Apr 2018 20:21:35 -0300 Subject: [PATCH] Escape variables in add-base-url annotation --- .../ingress/controller/template/template.go | 38 ++++--- .../controller/template/template_test.go | 100 ++++++++++-------- 2 files changed, 76 insertions(+), 62 deletions(-) diff --git a/internal/ingress/controller/template/template.go b/internal/ingress/controller/template/template.go index d38eb377e6..39f6006c68 100644 --- a/internal/ingress/controller/template/template.go +++ b/internal/ingress/controller/template/template.go @@ -366,39 +366,43 @@ func buildProxyPass(host string, b interface{}, loc interface{}, dynamicConfigur } if len(location.Rewrite.Target) > 0 { - abu := "" + var abu string + var xForwardedPrefix string + if location.Rewrite.AddBaseURL { // path has a slash suffix, so that it can be connected with baseuri directly - bPath := fmt.Sprintf("%s%s", path, "$baseuri") + bPath := fmt.Sprintf("%s$escaped_base_uri", path) regex := `(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)` + scheme := "$scheme" + if len(location.Rewrite.BaseURLScheme) > 0 { - abu = fmt.Sprintf(`subs_filter '%v' '$1' ro; - `, regex, location.Rewrite.BaseURLScheme, bPath) - } else { - abu = fmt.Sprintf(`subs_filter '%v' '$1' ro; - `, regex, bPath) + scheme = location.Rewrite.BaseURLScheme } + + abu = fmt.Sprintf(` +set_escape_uri $escaped_base_uri $baseuri; +subs_filter '%v' '$1' ro; +`, regex, scheme, bPath) } - xForwardedPrefix := "" if location.XForwardedPrefix { - xForwardedPrefix = fmt.Sprintf(`proxy_set_header X-Forwarded-Prefix "%s"; - `, path) + xForwardedPrefix = fmt.Sprintf("proxy_set_header X-Forwarded-Prefix \"%s\";\n", path) } + if location.Rewrite.Target == slash { // special case redirect to / // ie /something to / return fmt.Sprintf(` - rewrite %s(.*) /$1 break; - rewrite %s / break; - %v%v %s://%s; - %v`, path, location.Path, xForwardedPrefix, proxyPass, proto, upstreamName, abu) +rewrite %s(.*) /$1 break; +rewrite %s / break; +%v%v %s://%s; +%v`, path, location.Path, xForwardedPrefix, proxyPass, proto, upstreamName, abu) } return fmt.Sprintf(` - rewrite %s(.*) %s/$1 break; - %v%v %s://%s; - %v`, path, location.Rewrite.Target, xForwardedPrefix, proxyPass, proto, upstreamName, abu) +rewrite %s(.*) %s/$1 break; +%v%v %s://%s; +%v`, path, location.Rewrite.Target, xForwardedPrefix, proxyPass, proto, upstreamName, abu) } // default proxy_pass diff --git a/internal/ingress/controller/template/template_test.go b/internal/ingress/controller/template/template_test.go index 8f76be9754..7582fbc1df 100644 --- a/internal/ingress/controller/template/template_test.go +++ b/internal/ingress/controller/template/template_test.go @@ -121,9 +121,9 @@ var ( "/jenkins", "~* /", ` - rewrite /(.*) /jenkins/$1 break; - proxy_pass http://upstream-name; - `, +rewrite /(.*) /jenkins/$1 break; +proxy_pass http://upstream-name; +`, false, "", false, @@ -135,10 +135,10 @@ var ( "/", `~* ^/something\/?(?.*)`, ` - rewrite /something/(.*) /$1 break; - rewrite /something / break; - proxy_pass http://upstream-name; - `, +rewrite /something/(.*) /$1 break; +rewrite /something / break; +proxy_pass http://upstream-name; +`, false, "", false, @@ -150,9 +150,9 @@ var ( "/not-root", "~* ^/end-with-slash/(?.*)", ` - rewrite /end-with-slash/(.*) /not-root/$1 break; - proxy_pass http://upstream-name; - `, +rewrite /end-with-slash/(.*) /not-root/$1 break; +proxy_pass http://upstream-name; +`, false, "", false, @@ -164,9 +164,9 @@ var ( "/not-root", `~* ^/something-complex\/?(?.*)`, ` - rewrite /something-complex/(.*) /not-root/$1 break; - proxy_pass http://upstream-name; - `, +rewrite /something-complex/(.*) /not-root/$1 break; +proxy_pass http://upstream-name; +`, false, "", false, @@ -178,10 +178,12 @@ var ( "/jenkins", "~* /", ` - rewrite /(.*) /jenkins/$1 break; - proxy_pass http://upstream-name; - subs_filter '(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)' '$1' ro; - `, +rewrite /(.*) /jenkins/$1 break; +proxy_pass http://upstream-name; + +set_escape_uri $escaped_base_uri $baseuri; +subs_filter '(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)' '$1' ro; +`, true, "", false, @@ -193,11 +195,13 @@ var ( "/", `~* ^/something\/?(?.*)`, ` - rewrite /something/(.*) /$1 break; - rewrite /something / break; - proxy_pass http://upstream-name; - subs_filter '(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)' '$1' ro; - `, +rewrite /something/(.*) /$1 break; +rewrite /something / break; +proxy_pass http://upstream-name; + +set_escape_uri $escaped_base_uri $baseuri; +subs_filter '(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)' '$1' ro; +`, true, "", false, @@ -209,10 +213,12 @@ var ( "/not-root", `~* ^/end-with-slash/(?.*)`, ` - rewrite /end-with-slash/(.*) /not-root/$1 break; - proxy_pass http://upstream-name; - subs_filter '(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)' '$1' ro; - `, +rewrite /end-with-slash/(.*) /not-root/$1 break; +proxy_pass http://upstream-name; + +set_escape_uri $escaped_base_uri $baseuri; +subs_filter '(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)' '$1' ro; +`, true, "", false, @@ -224,10 +230,12 @@ var ( "/not-root", `~* ^/something-complex\/?(?.*)`, ` - rewrite /something-complex/(.*) /not-root/$1 break; - proxy_pass http://upstream-name; - subs_filter '(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)' '$1' ro; - `, +rewrite /something-complex/(.*) /not-root/$1 break; +proxy_pass http://upstream-name; + +set_escape_uri $escaped_base_uri $baseuri; +subs_filter '(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)' '$1' ro; +`, true, "", false, @@ -239,11 +247,13 @@ var ( "/", `~* ^/something\/?(?.*)`, ` - rewrite /something/(.*) /$1 break; - rewrite /something / break; - proxy_pass http://upstream-name; - subs_filter '(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)' '$1' ro; - `, +rewrite /something/(.*) /$1 break; +rewrite /something / break; +proxy_pass http://upstream-name; + +set_escape_uri $escaped_base_uri $baseuri; +subs_filter '(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)' '$1' ro; +`, true, "http", false, @@ -255,9 +265,9 @@ var ( "/something", `~* /`, ` - rewrite /(.*) /something/$1 break; - proxy_pass http://sticky-upstream-name; - `, +rewrite /(.*) /something/$1 break; +proxy_pass http://sticky-upstream-name; +`, false, "http", true, @@ -269,9 +279,9 @@ var ( "/something", `~* /`, ` - rewrite /(.*) /something/$1 break; - proxy_pass http://upstream_balancer; - `, +rewrite /(.*) /something/$1 break; +proxy_pass http://upstream_balancer; +`, false, "http", true, @@ -283,10 +293,10 @@ var ( "/something", `~* ^/there\/?(?.*)`, ` - rewrite /there/(.*) /something/$1 break; - proxy_set_header X-Forwarded-Prefix "/there/"; - proxy_pass http://sticky-upstream-name; - `, +rewrite /there/(.*) /something/$1 break; +proxy_set_header X-Forwarded-Prefix "/there/"; +proxy_pass http://sticky-upstream-name; +`, false, "http", true,