admin: reject non-canonical config array indices#7592
admin: reject non-canonical config array indices#7592Amemoyoi wants to merge 2 commits intocaddyserver:masterfrom
Conversation
|
|
|
I checked the failing CI jobs. The failures appear unrelated to this change:
The targeted tests for this change are passing locally:
|
|
Thanks. Can you please sign the CLA and restore the deleted assistance disclosure from the PR template? |
|
I’ve signed the CLA and restored the assistance disclosure in the PR description. It shows “You have agreed to the CLA for caddyserver/caddy” on my side, so it looks like the signature is in place, but the CLA check may not have updated yet. |
|
The CLA needs to be signed by the same email address as on the commits. |
Amemoyoi
force-pushed
the
fix-admin-config-index-auth-bypass
branch
from
b6e2bda to
36a0e79
Compare
|
I checked it and found that the commit email was the issue. I’ve updated it to match the CLA-signed address and pushed the updated commit to the PR branch. Thanks. |
francislavoie
left a comment
francislavoie
left a comment
There was a problem hiding this comment.
LGTM, could use a couple more test cases to cover more of the allowed and rejected cases though (including +/- as described)
|
Thanks. I added broader test coverage for both allowed and rejected forms, including the +/- cases, and pushed the update. |
4 participants
This rejects non-canonical numeric array indices in
/configtraversal.Previously, array path components were parsed with
strconv.Atoi, which meant paths like01were accepted and normalized to1. That could cause the authorization layer to accept one textual path while config traversal resolved adifferent array element.
This change introduces canonical index parsing so that only normalized decimal forms are accepted:
0,1,1001,002,+1,-0Validation:
go test ./... -run TestUnsyncedConfigAccessRejectsNonCanonicalArrayIndicesgo test ./... -run TestUnsyncedConfigAccessI also ran
go test ./..., but the run hit an unrelated integration timeout/failure incaddytest/integration(TestACMEServerWithDefaults).Assistance disclosure:
I used an LLM to help review the code, reason about the behavior, and help draft the original report and parts of the patch/PR text. I manually reproduced the issue, validated the fix, and ran the relevant tests myself.