From 50abf73e5cec0ac82ce727c766e1b993e5df0adf Mon Sep 17 00:00:00 2001 From: Henrique Dias Date: Thu, 6 Apr 2023 12:20:40 +0200 Subject: [PATCH] fix(gateway): panic on path without enough components --- gateway/gateway_test.go | 4 +++- gateway/handler.go | 5 +++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/gateway/gateway_test.go b/gateway/gateway_test.go index e6f96858a..7eada3a1a 100644 --- a/gateway/gateway_test.go +++ b/gateway/gateway_test.go @@ -250,8 +250,10 @@ func TestGatewayGet(t *testing.T) { text string }{ {"127.0.0.1:8080", "/", http.StatusNotFound, "404 page not found\n"}, + {"127.0.0.1:8080", "/ipfs", http.StatusBadRequest, "invalid path \"/ipfs/\": not enough path components\n"}, + {"127.0.0.1:8080", "/ipns", http.StatusBadRequest, "invalid path \"/ipns/\": not enough path components\n"}, {"127.0.0.1:8080", "/" + k.Cid().String(), http.StatusNotFound, "404 page not found\n"}, - {"127.0.0.1:8080", "/ipfs/this-is-not-a-cid", http.StatusBadRequest, "failed to resolve /ipfs/this-is-not-a-cid: invalid path \"/ipfs/this-is-not-a-cid\": invalid CID: invalid cid: illegal base32 data at input byte 3\n"}, + {"127.0.0.1:8080", "/ipfs/this-is-not-a-cid", http.StatusBadRequest, "invalid path \"/ipfs/this-is-not-a-cid\": invalid CID: invalid cid: illegal base32 data at input byte 3\n"}, {"127.0.0.1:8080", k.String(), http.StatusOK, "fnord"}, {"127.0.0.1:8080", "/ipns/nxdomain.example.com", http.StatusInternalServerError, "failed to resolve /ipns/nxdomain.example.com: " + namesys.ErrResolveFailed.Error() + "\n"}, {"127.0.0.1:8080", "/ipns/%0D%0A%0D%0Ahello", http.StatusInternalServerError, "failed to resolve /ipns/\\r\\n\\r\\nhello: " + namesys.ErrResolveFailed.Error() + "\n"}, diff --git a/gateway/handler.go b/gateway/handler.go index f4aa347d4..4da858c10 100644 --- a/gateway/handler.go +++ b/gateway/handler.go @@ -216,6 +216,11 @@ func (i *handler) getOrHeadHandler(w http.ResponseWriter, r *http.Request) { return } + if err := contentPath.IsValid(); err != nil { + webError(w, err, http.StatusBadRequest) + return + } + // Detect when explicit Accept header or ?format parameter are present responseFormat, formatParams, err := customResponseFormat(r) if err != nil {