httptreemux icon indicating copy to clipboard operation
httptreemux copied to clipboard

Published 20 hours ago verified publisher icon dimfeld

index out of range panic on bad URLs

Open arussellsaw opened this issue 2 years ago • 1 comments

👋 hello!

we often see panics coming from our router when we get hit by people vuln scanning our app. we use lookupFunc to serve our frontend if no backend routes match. I think we're just missing a range check before evaluating.

an example URL that panics: GET /images/../cgi/cgi_i_filter.js

Here's the rough shape of our setup:

// LookupFunc is associated with a mux router. It permits querying the router to see if it // can respond to a request. type LookupFunc func(w http.ResponseWriter, r *http.Request) (httptreemux.LookupResult, bool)

func SinglePageApp(urlPrefix, dirPath string, includeSourcemaps bool) func(h http.Handler, lookupFunc LookupFunc) http.Handler { fs := static.LocalFile(dirPath, true) fileserver := http.FileServer(fs) if urlPrefix != "" { fileserver = http.StripPrefix(urlPrefix, fileserver) }

return func(h http.Handler, lookupFunc LookupFunc) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		// If we have an official route for this request, we should skip our handler. We
		// only run when we can't find a match.
		if _, found := lookupFunc(w, r); found {
			h.ServeHTTP(w, r)
			return
		}

		if !fs.Exists(urlPrefix, r.URL.Path) {
			r.URL.Path = "/"
		}
                     // serving the SPA goes here

thanks! 🙏

arussellsaw avatar Oct 05 '22 08:10 arussellsaw

If you can come up with a reproducible test case I can take a look at it.

dimfeld avatar Oct 06 '22 06:10 dimfeld