apisix/t/plugin/uri-blocker.t
罗泽轩 9fc38330e8
fix: prevent being hacked by untrusted request_uri (#5458)
Thanks to Marcin Niemiec for the report.

Signed-off-by: spacewander <spacewanderlzx@gmail.com>
2021-11-09 16:21:27 +08:00

524 lines
11 KiB
Perl
Vendored

#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
use t::APISIX 'no_plan';
repeat_each(1);
no_long_string();
no_root_location();
no_shuffle();
run_tests;
__DATA__
=== TEST 1: invalid regular expression
--- config
location /t {
content_by_lua_block {
local t = require("lib.test_admin").test
local code, body = t('/apisix/admin/routes/1',
ngx.HTTP_PUT,
[[{
"plugins": {
"uri-blocker": {
"block_rules": [".+("]
}
},
"uri": "/hello"
}]])
if code >= 300 then
ngx.status = code
end
ngx.print(body)
}
}
--- request
GET /t
--- error_code: 400
--- response_body
{"error_msg":"failed to check the configuration of plugin uri-blocker err: pcre_compile() failed: missing ) in \".+(\""}
--- no_error_log
[error]
=== TEST 2: multiple valid rules
--- config
location /t {
content_by_lua_block {
local t = require("lib.test_admin").test
local code, body = t('/apisix/admin/routes/1',
ngx.HTTP_PUT,
[[{
"plugins": {
"uri-blocker": {
"block_rules": ["^a", "^b"]
}
},
"uri": "/hello"
}]]
)
if code >= 300 then
ngx.status = code
end
ngx.say(body)
}
}
--- request
GET /t
--- response_body
passed
--- no_error_log
[error]
=== TEST 3: multiple rules(include one invalid rule)
--- config
location /t {
content_by_lua_block {
local t = require("lib.test_admin").test
local code, body = t('/apisix/admin/routes/1',
ngx.HTTP_PUT,
[[{
"plugins": {
"uri-blocker": {
"block_rules": ["^a", "^b("]
}
},
"uri": "/hello"
}]]
)
if code >= 300 then
ngx.status = code
end
ngx.print(body)
}
}
--- request
GET /t
--- error_code: 400
--- response_body
{"error_msg":"failed to check the configuration of plugin uri-blocker err: pcre_compile() failed: missing ) in \"^b(\""}
--- no_error_log
[error]
=== TEST 4: one block rule
--- config
location /t {
content_by_lua_block {
local t = require("lib.test_admin").test
local code, body = t('/apisix/admin/routes/1',
ngx.HTTP_PUT,
[[{
"plugins": {
"uri-blocker": {
"block_rules": ["aa"]
}
},
"upstream": {
"nodes": {
"127.0.0.1:1980": 1
},
"type": "roundrobin"
},
"uri": "/hello"
}]],
[[{
"node": {
"value": {
"plugins": {
"uri-blocker": {
"block_rules": ["aa"]
}
}
}
}
}]]
)
if code >= 300 then
ngx.status = code
end
ngx.say(body)
}
}
--- request
GET /t
--- response_body
passed
--- no_error_log
[error]
=== TEST 5: hit block rule
--- request
GET /hello?aa=1
--- error_code: 403
--- no_error_log
[error]
--- error_log
concat block_rules: aa
=== TEST 6: miss block rule
--- request
GET /hello?bb=2
--- no_error_log
[error]
--- error_log
concat block_rules: aa
=== TEST 7: multiple block rules
--- config
location /t {
content_by_lua_block {
local t = require("lib.test_admin").test
local code, body = t('/apisix/admin/routes/1',
ngx.HTTP_PUT,
[[{
"plugins": {
"uri-blocker": {
"block_rules": ["aa", "bb", "c\\d+"]
}
},
"upstream": {
"nodes": {
"127.0.0.1:1980": 1
},
"type": "roundrobin"
},
"uri": "/hello"
}]]
)
if code >= 300 then
ngx.status = code
end
ngx.say(body)
}
}
--- request
GET /t
--- response_body
passed
--- no_error_log
[error]
=== TEST 8: hit block rule
--- request
GET /hello?x=bb
--- error_code: 403
--- no_error_log
[error]
--- error_log
concat block_rules: aa|bb|c\d+,
=== TEST 9: hit block rule
--- request
GET /hello?bb=2
--- error_code: 403
--- no_error_log
[error]
--- error_log
concat block_rules: aa|bb|c\d+,
=== TEST 10: hit block rule
--- request
GET /hello?c1=2
--- error_code: 403
--- no_error_log
[error]
=== TEST 11: not hit block rule
--- request
GET /hello?cc=2
--- no_error_log
[error]
=== TEST 12: SQL injection
--- config
location /t {
content_by_lua_block {
local t = require("lib.test_admin").test
local code, body = t('/apisix/admin/routes/1',
ngx.HTTP_PUT,
[[{
"plugins": {
"uri-blocker": {
"block_rules": ["select.+(from|limit)", "(?:(union(.*?)select))"]
}
},
"upstream": {
"nodes": {
"127.0.0.1:1980": 1
},
"type": "roundrobin"
},
"uri": "/hello"
}]]
)
if code >= 300 then
ngx.status = code
end
ngx.say(body)
}
}
--- request
GET /t
--- response_body
passed
--- no_error_log
[error]
=== TEST 13: hit block rule
--- request
GET /hello?name=;select%20from%20sys
--- error_code: 403
--- no_error_log
[error]
--- error_log
concat block_rules: select.+(from|limit)|(?:(union(.*?)select)),
=== TEST 14: hit block rule
--- request
GET /hello?name=;union%20select%20
--- error_code: 403
--- no_error_log
[error]
=== TEST 15: not hit block rule
--- request
GET /hello?cc=2
--- no_error_log
[error]
=== TEST 16: invalid rejected_msg length or type
--- config
location /t {
content_by_lua_block {
local data = {
{
input = {
plugins = {
["uri-blocker"] = {
block_rules = { "^a" },
rejected_msg = "",
},
},
uri = "/hello",
},
output = {
error_msg = "failed to check the configuration of plugin uri-blocker err: property \"rejected_msg\" validation failed: string too short, expected at least 1, got 0",
},
},
{
input = {
plugins = {
["uri-blocker"] = {
block_rules = { "^a" },
rejected_msg = true,
},
},
uri = "/hello",
},
output = {
error_msg = "failed to check the configuration of plugin uri-blocker err: property \"rejected_msg\" validation failed: wrong type: expected string, got boolean",
},
},
}
local t = require("lib.test_admin").test
local err_count = 0
for i in ipairs(data) do
local code, body = t('/apisix/admin/routes/1', ngx.HTTP_PUT, data[i].input, data[i].output)
if code >= 300 then
err_count = err_count + 1
end
ngx.print(body)
end
assert(err_count == #data)
}
}
--- request
GET /t
--- no_error_log
[error]
=== TEST 17: one block rule, with rejected_msg
--- config
location /t {
content_by_lua_block {
local t = require("lib.test_admin").test
local code, body = t('/apisix/admin/routes/1',
ngx.HTTP_PUT,
[[{
"plugins": {
"uri-blocker": {
"block_rules": ["aa"],
"rejected_msg": "access is not allowed"
}
},
"upstream": {
"nodes": {
"127.0.0.1:1980": 1
},
"type": "roundrobin"
},
"uri": "/hello"
}]]
)
if code >= 300 then
ngx.status = code
end
ngx.print(body)
}
}
--- request
GET /t
--- no_error_log
[error]
=== TEST 18: hit block rule and return rejected_msg
--- request
GET /hello?aa=1
--- error_code: 403
--- response_body
{"error_msg":"access is not allowed"}
--- no_error_log
[error]
=== TEST 19: one block rule, with case insensitive
--- config
location /t {
content_by_lua_block {
local t = require("lib.test_admin").test
local code, body = t('/apisix/admin/routes/1',
ngx.HTTP_PUT,
[[{
"plugins": {
"uri-blocker": {
"block_rules": ["AA"],
"rejected_msg": "access is not allowed",
"case_insensitive": true
}
},
"upstream": {
"nodes": {
"127.0.0.1:1980": 1
},
"type": "roundrobin"
},
"uri": "/hello"
}]]
)
if code >= 300 then
ngx.status = code
end
ngx.print(body)
}
}
--- request
GET /t
--- no_error_log
[error]
=== TEST 20: hit block rule
--- request
GET /hello?aa=1
--- error_code: 403
--- response_body
{"error_msg":"access is not allowed"}
--- no_error_log
[error]
=== TEST 21: add block rule with anchor
--- config
location /t {
content_by_lua_block {
local t = require("lib.test_admin").test
local code, body = t('/apisix/admin/routes/1',
ngx.HTTP_PUT,
[[{
"plugins": {
"uri-blocker": {
"block_rules": ["^/internal/"]
}
},
"uri": "/internal/*"
}]])
if code >= 300 then
ngx.status = code
end
ngx.print(body)
}
}
--- request
GET /t
=== TEST 22: can't bypass with url without normalization
--- request
GET /./internal/x?aa=1
--- error_code: 403
--- no_error_log
[error]