You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@servicecomb.apache.org by ti...@apache.org on 2020/12/19 12:49:16 UTC
[servicecomb-service-center] branch master updated: SCB-2094 Fix
Security Vulnerability - Directory Traversal (#788)
This is an automated email from the ASF dual-hosted git repository.
tianxiaoliang pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/servicecomb-service-center.git
The following commit(s) were added to refs/heads/master by this push:
new f4f44fe SCB-2094 Fix Security Vulnerability - Directory Traversal (#788)
f4f44fe is described below
commit f4f44fe5d4a7e530ca8ee7c6f2c9e891ae8353c9
Author: little-cui <su...@qq.com>
AuthorDate: Sat Dec 19 20:49:07 2020 +0800
SCB-2094 Fix Security Vulnerability - Directory Traversal (#788)
---
frontend/server_test.go | 44 +++++++++++++++++++++++++++++---------------
go.mod | 3 +--
2 files changed, 30 insertions(+), 17 deletions(-)
diff --git a/frontend/server_test.go b/frontend/server_test.go
index 6ed0db2..5ed2b1d 100644
--- a/frontend/server_test.go
+++ b/frontend/server_test.go
@@ -17,12 +17,13 @@
package main
import (
+ "github.com/stretchr/testify/assert"
"io/ioutil"
"net/http"
"sync"
"testing"
- "github.com/labstack/echo"
+ "github.com/labstack/echo/v4"
)
const (
@@ -46,13 +47,9 @@ func TestStatic(t *testing.T) {
wg.Wait()
res, err := http.Get("http://" + FrontAddr)
- if err != nil {
- t.Errorf("Error accessing frontend: %s", err)
- }
- if res.StatusCode != http.StatusOK {
- t.Errorf("Expected http %d, got %d", http.StatusOK, res.StatusCode)
- }
-
+ assert.NoError(t, err, "Error accessing frontend: %s", err)
+ assert.Equal(t, http.StatusOK, res.StatusCode, "Expected http %d, got %d", http.StatusOK, res.StatusCode)
+ _ = res.Body.Close()
}
func TestSCProxy(t *testing.T) {
@@ -68,17 +65,14 @@ func TestSCProxy(t *testing.T) {
return c.String(http.StatusOK, greeting)
})
wg.Done()
- e.Start(SCAddr)
+ _ = e.Start(SCAddr)
}()
wg.Wait()
res, err := http.Get("http://" + FrontAddr + "/sc/sayHi")
- if err != nil {
- t.Errorf("Error accessing sc proxy: %s", err)
- }
- if res.StatusCode != http.StatusOK {
- t.Errorf("Expected http %d, got %d", http.StatusOK, res.StatusCode)
- }
+ assert.NoError(t, err, "Error accessing sc proxy: %s", err)
+ assert.Equal(t, http.StatusOK, res.StatusCode, "Expected http %d, got %d", http.StatusOK, res.StatusCode)
+ defer res.Body.Close()
body, err := ioutil.ReadAll(res.Body)
if err != nil {
@@ -87,5 +81,25 @@ func TestSCProxy(t *testing.T) {
if string(body) != greeting {
t.Errorf("Expected %s, got %s", greeting, string(body))
}
+}
+
+func TestDirectoryTraversal(t *testing.T) {
+ var wg sync.WaitGroup
+
+ cfg := Config{
+ scAddr: "http://" + SCAddr,
+ frontendAddr: FrontAddr,
+ }
+ wg.Add(1)
+ go func() {
+ wg.Done()
+ Serve(cfg)
+ }()
+
+ wg.Wait()
+ res, err := http.Get("http://" + FrontAddr + "/..\\schema/schemahandler.go")
+ assert.NoError(t, err, "Error accessing frontend: %s", err)
+ assert.Equal(t, http.StatusNotFound, res.StatusCode, "Expected http status is 404")
+ _ = res.Body.Close()
}
diff --git a/go.mod b/go.mod
index 1093441..ace45b6 100644
--- a/go.mod
+++ b/go.mod
@@ -33,8 +33,7 @@ require (
github.com/jonboulle/clockwork v0.2.2 // indirect
github.com/karlseguin/ccache v2.0.3-0.20170217060820-3ba9789cfd2c+incompatible
github.com/karlseguin/expect v1.0.7 // indirect
- github.com/labstack/echo v3.2.2-0.20180316170059-a5d81b8d4a62+incompatible
- github.com/labstack/echo/v4 v4.1.17
+ github.com/labstack/echo/v4 v4.1.18-0.20201218141459-936c48a17e97
github.com/mattn/go-runewidth v0.0.9 // indirect
github.com/natefinch/lumberjack v0.0.0-20170531160350-a96e63847dc3
github.com/olekukonko/tablewriter v0.0.0-20180506121414-d4647c9c7a84