gin icon indicating copy to clipboard operation
gin copied to clipboard

Published 20 hours ago verified publisher icon gin-gonic

Prevent multiples encodings in path parameters

Open matheus-meneses opened this issue 2 years ago • 6 comments

Hi guys, I've opened this PR to prevent multiples encodings in path parameters. It solves some security problems about path transversal and multiples encodings.

matheus-meneses avatar Apr 13 '22 23:04 matheus-meneses

About the problem:

Imagine if you have the request path.

https://myhost.com/api/cities/:zipcode

It will be hosted by a reverse proxy using a gin engine that delegates the given request to a destination.

Now imagine that the application receives a request like that:

curl -ivk \
$'https://myhost.com/api/cities/anything%c00%25252f..%25252f..%25252f..%25252f..%25252f..%25252fanything%25252fv1%25252fenv%2523'

After the first decode, as gin does, the given URL will be:

https://myhost.com/api/cities/%252f..%252f..%252f..%252f..%252f..%252fanything%252fv1%252fenv%23

Note that the pattern is correct, but the path was not fully decoded, the PR allows gin decode this kind of request.

matheus-meneses avatar Apr 18 '22 19:04 matheus-meneses

Anyone?

matheus-meneses avatar Apr 20 '22 18:04 matheus-meneses

Guys?

matheus-meneses avatar Jun 20 '22 20:06 matheus-meneses

Is this related to https://github.com/gin-gonic/gin/issues/2047

rcollette avatar Dec 05 '22 14:12 rcollette

Is this related to

https://github.com/gin-gonic/gin/issues/2047

Still waiting

matheus-meneses avatar Dec 05 '22 16:12 matheus-meneses