fix: filters not properly protected

DblK · Dec 29, 2021 · 19372a5 · 19372a5
1 parent 0a19121
commit 19372a5
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 1 deletion.
diff --git a/security.go b/security.go
@@ -23,7 +23,13 @@ func tinfoilMiddleware(next http.Handler) http.Handler {
 			return
 		}
 
-		if r.RequestURI == "/" || utils.IsValidFilter(r.RequestURI[1:]) {
+		// Remove pending "/" if exists
+		actualPath := r.RequestURI[1:]
+		if r.RequestURI[len(r.RequestURI)-1:] == "/" {
+			actualPath = r.RequestURI[1 : len(r.RequestURI)-1]
+		}
+
+		if r.RequestURI == "/" || utils.IsValidFilter(actualPath) {
 			// Check for blacklist/whitelist
 			var uid = strings.Join(headers["Uid"], "")
 			if config.GetConfig().IsBlacklisted(uid) {

diff --git a/utils/utils_test.go b/utils/utils_test.go
@@ -191,15 +191,27 @@ var _ = Describe("Utils", func() {
 		It("Test multi", func() {
 			Expect(utils.IsValidFilter("multi")).To(BeTrue())
 		})
+		It("Test multi (with pending slash)", func() {
+			Expect(utils.IsValidFilter("multi/")).To(BeFalse())
+		})
 		It("Test multi (multi case)", func() {
 			Expect(utils.IsValidFilter("muLtI")).To(BeTrue())
 		})
+		It("Test multi (multi case)", func() {
+			Expect(utils.IsValidFilter("muLtI/")).To(BeFalse())
+		})
 		It("Test world", func() {
 			Expect(utils.IsValidFilter("world")).To(BeTrue())
 		})
+		It("Test world (with pending slash)", func() {
+			Expect(utils.IsValidFilter("world/")).To(BeFalse())
+		})
 		It("Test fr (lowercase)", func() {
 			Expect(utils.IsValidFilter("fr")).To(BeTrue())
 		})
+		It("Test fr (lowercase & with pending slash)", func() {
+			Expect(utils.IsValidFilter("fr/")).To(BeFalse())
+		})
 		It("Test FR (uppercase)", func() {
 			Expect(utils.IsValidFilter("FR")).To(BeTrue())
 		})