-
-
Notifications
You must be signed in to change notification settings - Fork 4.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
rewrite: Add option to force modifying the query #5438
base: master
Are you sure you want to change the base?
Conversation
Thanks for proposing this Francis, I'll try to get around to reviewing this soon. (Sorry for the delay. I'm also curious about this versus #5504) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This LGTM, but I have a nit regarding the naming 🙃
// only the path would be rewritten because the placeholder itself | ||
// does not contain a '?' character. Only use this if the placeholder | ||
// is trusted to not be vulnerable to query injections. | ||
ModifyQuery bool `json:"modify_query,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What if we call this SpanComponents
or something a little more precise? It looks like what this change really does is make a single placeholder able to span URI components.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That makes me think of a <span>
JS component. That name doesn't bring any mental association to what it does to me.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm. I mean, obviously this is a backend context (a rewrite middleware) where we're talking about the URI... but I can see why you'd have that correlation.
What about AllowExpansion
or something?
Fix #5208
When a user wants to rewrite the URI, if they use a placeholder which might contain both the path and query, currently only the path portion of the placeholder will be used and the query is discarded.
This isn't ideal when the placeholder input comes from, for example, a response header from upstream when doing
X-Accel-Redirect
style intercepting of the response.To work around this, we can add an option to force-enable query modifications, essentially marking the configured placeholder input as "trusted" in the sense that it's expected to contain a valid query part and not an injected
?
via URL encoding.I'm not sure the implementation is completely correct. There's a test case I'm not quite sure how we want to handle, i.e. the placeholder only having a query and no path. Is that something we care to support? If not I can remove that
TODO
comment.