From addf40b731049fc83e682052ae483ac7f4bcd7d7 Mon Sep 17 00:00:00 2001 From: Ramana Reddy Date: Wed, 19 Jul 2023 22:40:08 +0530 Subject: [PATCH] fix removing double slash prefix in raw req path --- v2/pkg/protocols/http/raw/raw.go | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/v2/pkg/protocols/http/raw/raw.go b/v2/pkg/protocols/http/raw/raw.go index 46a6b562a7..f313542be4 100644 --- a/v2/pkg/protocols/http/raw/raw.go +++ b/v2/pkg/protocols/http/raw/raw.go @@ -32,6 +32,18 @@ func Parse(request string, inputURL *urlutil.URL, unsafe, disablePathAutomerge b return nil, err } + // edge case for double slash in path + // uri part in raw req '//CFIDE/wizards/common/utils.cfc' (valid uri without scheme) + // for ^ex url.Parse results in scheme="",host="CFIDE",path="/wizards/common/utils.cfc" + startWithDoubleSlash := strings.HasPrefix(rawrequest.Path, "//") + _, hasHost := rawrequest.Headers["Host"] + var pathPrefix string + if startWithDoubleSlash && hasHost { + if u, err := urlutil.Parse(rawrequest.Path); err == nil && u.Host != "" { + pathPrefix = "//" + u.Host + } + } + switch { // If path is empty do not tamper input url (see doc) // can be omitted but makes things clear @@ -83,7 +95,7 @@ func Parse(request string, inputURL *urlutil.URL, unsafe, disablePathAutomerge b } unsafeRelativePath = cloned.GetRelativePath() } - rawrequest.Path = cloned.GetRelativePath() + rawrequest.Path = pathPrefix + cloned.GetRelativePath() rawrequest.UnsafeRawBytes = bytes.Replace(rawrequest.UnsafeRawBytes, []byte(prevPath), []byte(unsafeRelativePath), 1) default: @@ -95,7 +107,7 @@ func Parse(request string, inputURL *urlutil.URL, unsafe, disablePathAutomerge b if parseErr != nil { return nil, errorutil.NewWithTag("raw", "could not automergepath for template path %v", rawrequest.Path).Wrap(parseErr) } - rawrequest.Path = cloned.GetRelativePath() + rawrequest.Path = pathPrefix + cloned.GetRelativePath() } if !unsafe {