Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

rewrite: Add option to force modifying the query #5438

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

francislavoie
Copy link
Member

Fix #5208

When a user wants to rewrite the URI, if they use a placeholder which might contain both the path and query, currently only the path portion of the placeholder will be used and the query is discarded.

This isn't ideal when the placeholder input comes from, for example, a response header from upstream when doing X-Accel-Redirect style intercepting of the response.

To work around this, we can add an option to force-enable query modifications, essentially marking the configured placeholder input as "trusted" in the sense that it's expected to contain a valid query part and not an injected ? via URL encoding.

I'm not sure the implementation is completely correct. There's a test case I'm not quite sure how we want to handle, i.e. the placeholder only having a query and no path. Is that something we care to support? If not I can remove that TODO comment.

@mholt
Copy link
Member

mholt commented May 11, 2023

Thanks for proposing this Francis, I'll try to get around to reviewing this soon. (Sorry for the delay. I'm also curious about this versus #5504)

@mholt mholt modified the milestones: v2.7.0, v2.8.0 May 13, 2023
@mholt mholt modified the milestones: v2.8.0, 2.9.0 Aug 7, 2023
Copy link
Member

@mholt mholt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This LGTM, but I have a nit regarding the naming 🙃

// only the path would be rewritten because the placeholder itself
// does not contain a '?' character. Only use this if the placeholder
// is trusted to not be vulnerable to query injections.
ModifyQuery bool `json:"modify_query,omitempty"`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What if we call this SpanComponents or something a little more precise? It looks like what this change really does is make a single placeholder able to span URI components.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That makes me think of a <span> JS component. That name doesn't bring any mental association to what it does to me.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm. I mean, obviously this is a backend context (a rewrite middleware) where we're talking about the URI... but I can see why you'd have that correlation.

What about AllowExpansion or something?

@mholt mholt modified the milestones: v2.9.0-beta.1, v2.9.0-beta.2 Oct 2, 2024
@mholt mholt modified the milestones: v2.9.0-beta.3, v2.9.0-beta.4 Nov 1, 2024
@mholt mholt modified the milestones: v2.9.0-beta.4, v2.10.0-beta.1 Dec 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feature ⚙️ New feature or request
Projects
None yet
Development

Successfully merging this pull request may close these issues.

X-Accel-Redirect setup doesn't work due to strange behaior of rewrite
2 participants