π bug: harden proxy nil client handling in Do/Forward paths#4083
π bug: harden proxy nil client handling in Do/Forward paths#4083ReneWerner87 merged 2 commits intomainfrom
Conversation
Summary of ChangesHello @gaby, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request significantly enhances the robustness of the proxy middleware by implementing comprehensive checks for Highlights
π§ New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console. Changelog
Activity
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with π and π on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
WalkthroughAdds internal nil-safety checks for the proxy HTTP client: WithClient panics on nil, doAction centralizes client selection via selectClient and returns specific internal errors for nil local or global clients. Multiple tests verify panic and error behaviors and local/global override handling. Changes
Estimated code review effortπ― 3 (Moderate) | β±οΈ ~20 minutes Suggested labels
Suggested reviewers
Poem
π₯ Pre-merge checks | β 1 | β 2β Failed checks (1 warning, 1 inconclusive)
β Passed checks (1 passed)
βοΈ Tip: You can configure your own custom pre-merge checks in the settings. β¨ Finishing touches
π§ͺ Generate unit tests (beta)
No actionable comments were generated in the recent review. π Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Codecov Reportβ
All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #4083 +/- ##
==========================================
+ Coverage 90.99% 91.02% +0.03%
==========================================
Files 119 119
Lines 11256 11303 +47
==========================================
+ Hits 10242 10289 +47
Misses 642 642
Partials 372 372
Flags with carried forward coverage won't be shown. Click here to find out more. β View full report in Codecov by Sentry. π New features to boost your workflow:
|
There was a problem hiding this comment.
Pull request overview
This pull request adds nil client validation to the proxy middleware, preventing nil pointer dereferences when using the Do, Forward, and related functions. The changes add defensive checks at two levels: panicking when setting a nil global client via WithClient, and returning errors when nil clients are passed as function arguments.
Changes:
- Added nil validation to
WithClientfunction that panics if a nil client is provided - Added error handling in
doActionto return specific errors when nil clients are encountered (either as overrides or from global state) - Added comprehensive test coverage for the new nil client validation behavior
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| middleware/proxy/proxy.go | Added error variables for nil client scenarios, panic check in WithClient, and nil checks in doAction |
| middleware/proxy/proxy_test.go | Added three new test functions covering nil client panic behavior and error handling |
There was a problem hiding this comment.
Code Review
This pull request enhances the robustness of the proxy middleware by adding checks for nil fasthttp.Client instances, introducing a panic in WithClient for nil clients, and adding error handling in doAction for nil client overrides or global clients. However, a pre-existing high-severity Server-Side Request Forgery (SSRF) vulnerability was identified, where the proxy functions do not validate the target URL, potentially allowing an attacker to force requests to internal services. A recommendation to add validation has been provided. Additionally, while new unit tests are included, a suggestion has been made to add a test case for the errNilGlobalProxyClient error path to ensure full coverage.
middleware/proxy/proxy.go
Outdated
| // set local or global client | ||
| if len(clients) != 0 { | ||
| cli = clients[0] | ||
| if cli == nil { | ||
| return errNilProxyClientOverride | ||
| } | ||
| } else { | ||
| lock.RLock() | ||
| cli = client | ||
| lock.RUnlock() | ||
| if cli == nil { | ||
| return errNilGlobalProxyClient | ||
| } | ||
| } |
There was a problem hiding this comment.
The doAction function, and by extension the Do, Forward, and other proxy functions, are vulnerable to Server-Side Request Forgery (SSRF). The addr parameter, which specifies the target URL for the proxy request, is used without any validation. If an attacker can control this parameter, they can force the server to make requests to arbitrary internal or external services. This could be used to scan internal networks, access sensitive data, or interact with internal APIs. The library does not provide any built-in mechanism (e.g., an IP blocklist or a domain allow-list) to mitigate this risk.
Remediation:
Implement a validation mechanism for the addr parameter. At a minimum, you should prevent requests to localhost and private IP address ranges. Consider adding a configurable allow-list or block-list for domains to provide developers with a tool to secure their proxy implementations.
There was a problem hiding this comment.
@ReneWerner87 will adress this in a separate PR, since it's a whole different issue.
This pull request significantly enhances the robustness of the proxy middleware by implementing comprehensive checks for nil fasthttp.Client instances. It ensures that both globally configured and locally overridden clients are valid before use, preventing unexpected panics and providing clearer, more specific error messages. This change improves the overall stability and predictability of proxy operations within the application.