Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 454450a

Browse files
bepclaude
bep
and
claude
committed
config/security: Restrict default http.urls "@" deny to userinfo
The previous "! @" deny rule rejected any URL containing "@", including legitimate version-pinned imports such as https://cdn.jsdelivr.net/npm/mermaid@latest/dist/mermaid.esm.min.mjs. Tighten it to "! (?i)^https?://[^/?#]*@" so only "@" inside the authority section (i.e. real userinfo) is blocked. Fixes #14825 Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>
1 parent 2bfcc6b commit 454450a

2 files changed

Lines changed: 28 additions & 2 deletions

File tree

config/security/securityConfig.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -59,7 +59,7 @@ var DefaultConfig = Config{
5959
URLs: MustNewWhitelist(
6060
`(?i)^https?://[a-z]`,
6161
`! (?i)localhost`,
62-
`! @`,
62+
`! (?i)^https?://[^/?#]*@`,
6363
),
6464
Methods: MustNewWhitelist("(?i)GET|POST"),
6565
},

config/security/securityConfig_test.go

Lines changed: 27 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -135,7 +135,7 @@ func TestToTOML(t *testing.T) {
135135
got := DefaultConfig.ToTOML()
136136

137137
c.Assert(got, qt.Equals,
138-
"[security]\n enableInlineShortcodes = false\n\n [security.exec]\n allow = ['^(dart-)?sass(-embedded)?$', '^go$', '^git$', '^node$', '^postcss$', '^tailwindcss$']\n osEnv = ['(?i)^((HTTPS?|NO)_PROXY|PATH(EXT)?|APPDATA|TE?MP|TERM|GO\\w+|(XDG_CONFIG_)?HOME|USERPROFILE|SSH_AUTH_SOCK|DISPLAY|LANG|SYSTEMDRIVE|PROGRAMDATA)$']\n\n [security.funcs]\n getenv = ['^HUGO_', '^CI$']\n\n [security.http]\n methods = ['(?i)GET|POST']\n urls = ['(?i)^https?://[a-z]', '! (?i)localhost', '! @']\n\n [security.node]\n [security.node.permissions]\n allowAddons = ['tailwindcss']\n allowRead = ['.']\n allowWorker = ['tailwindcss']\n allowWrite = []\n disable = false",
138+
"[security]\n enableInlineShortcodes = false\n\n [security.exec]\n allow = ['^(dart-)?sass(-embedded)?$', '^go$', '^git$', '^node$', '^postcss$', '^tailwindcss$']\n osEnv = ['(?i)^((HTTPS?|NO)_PROXY|PATH(EXT)?|APPDATA|TE?MP|TERM|GO\\w+|(XDG_CONFIG_)?HOME|USERPROFILE|SSH_AUTH_SOCK|DISPLAY|LANG|SYSTEMDRIVE|PROGRAMDATA)$']\n\n [security.funcs]\n getenv = ['^HUGO_', '^CI$']\n\n [security.http]\n methods = ['(?i)GET|POST']\n urls = ['(?i)^https?://[a-z]', '! (?i)localhost', '! (?i)^https?://[^/?#]*@']\n\n [security.node]\n [security.node.permissions]\n allowAddons = ['tailwindcss']\n allowRead = ['.']\n allowWorker = ['tailwindcss']\n allowWrite = []\n disable = false",
139139
)
140140
}
141141

@@ -247,6 +247,32 @@ urls = ['.*', '! ^https?://evil\.example\.com']
247247
})
248248
}
249249

250+
func TestCheckAllowedHTTPURLAtInPathIssue14825(t *testing.T) {
251+
t.Parallel()
252+
c := qt.New(t)
253+
254+
pc, err := DecodeConfig(config.New())
255+
c.Assert(err, qt.IsNil)
256+
257+
for _, u := range []string{
258+
"https://cdn.jsdelivr.net/npm/mermaid@latest/dist/mermaid.esm.min.mjs",
259+
"https://unpkg.com/react@18/umd/react.production.min.js",
260+
"https://example.org/foo@bar/baz",
261+
} {
262+
c.Assert(pc.CheckAllowedHTTPURL(u), qt.IsNil, qt.Commentf(u))
263+
}
264+
265+
for _, u := range []string{
266+
"http://[email protected]/",
267+
"http://user:[email protected]/",
268+
"https://[email protected]/foo@bar",
269+
} {
270+
err := pc.CheckAllowedHTTPURL(u)
271+
c.Assert(err, qt.IsNotNil, qt.Commentf(u))
272+
c.Assert(err, qt.ErrorMatches, `(?s).*is not whitelisted in policy "security\.http\.urls".*`, qt.Commentf(u))
273+
}
274+
}
275+
250276
func TestDecodeConfigNodePermissions(t *testing.T) {
251277
c := qt.New(t)
252278

0 commit comments

Comments
 (0)