github
/
consul
mirror of https://github.com/hashicorp/consul
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

added tests, fixed typo

Browse Source
pull/21704/head
Sarah Alsmiller 3 months ago
parent 52f4b86c5c
commit ede97520b0
2 changed files with 35 additions and 13 deletions
Show Stats Download Patch File Download Diff File

16
agent/http.go
Unescape View File

@ -46,7 +46,7 @@ import (
const ( const (
contentTypeHeader = "Content-Type" contentTypeHeader = "Content-Type"
plainContentType = "text/plain" plainContentType = "text/plain; charset=utf-8"
htmlContentType = "text/html" htmlContentType = "text/html"
jsonContentType = "application/json" jsonContentType = "application/json"
) )
@ -228,7 +228,7 @@ func (s *HTTPHandlers) handler() http.Handler {
// If enableDebug register wrapped pprof handlers // If enableDebug register wrapped pprof handlers
if !s.agent.enableDebug.Load() && s.checkACLDisabled() { if !s.agent.enableDebug.Load() && s.checkACLDisabled() {
resp.WriteHeader(http.StatusNotFound) resp.WriteHeader(http.StatusNotFound)
req.Header.Set(contentTypeHeader, plainContentType) resp.Header().Set(contentTypeHeader, plainContentType)
return return
} }
@ -237,7 +237,7 @@ func (s *HTTPHandlers) handler() http.Handler {
authz, err := s.agent.delegate.ResolveTokenAndDefaultMeta(token, nil, nil) authz, err := s.agent.delegate.ResolveTokenAndDefaultMeta(token, nil, nil)
if err != nil { if err != nil {
req.Header.Set(contentTypeHeader, plainContentType) resp.Header().Set(contentTypeHeader, plainContentType)
resp.WriteHeader(http.StatusForbidden) resp.WriteHeader(http.StatusForbidden)
return return
} }
@ -247,8 +247,8 @@ func (s *HTTPHandlers) handler() http.Handler {
// TODO(partitions): should this be possible in a partition? // TODO(partitions): should this be possible in a partition?
// TODO(acl-error-enhancements): We should return error details somehow here. // TODO(acl-error-enhancements): We should return error details somehow here.
if authz.OperatorRead(nil) != acl.Allow { if authz.OperatorRead(nil) != acl.Allow {
resp.Header().Set(contentTypeHeader, plainContentType)
resp.WriteHeader(http.StatusForbidden) resp.WriteHeader(http.StatusForbidden)
req.Header.Set(contentTypeHeader, plainContentType)
return return
} }
@ -328,7 +328,6 @@ func (s *HTTPHandlers) handler() http.Handler {
} }
h = withRemoteAddrHandler(h) h = withRemoteAddrHandler(h)
h = ensureContentTypeHeader(h, s.agent.logger) h = ensureContentTypeHeader(h, s.agent.logger)
s.h = &wrappedMux{ s.h = &wrappedMux{
@ -351,15 +350,14 @@ func withRemoteAddrHandler(next http.Handler) http.Handler {
}) })
} }
// Injects content type explicitly if not already set into request to prevent XSS // Injects content type explicitly if not already set into response to prevent XSS
func ensureContentTypeHeader(next http.Handler, logger hclog.Logger) http.Handler { func ensureContentTypeHeader(next http.Handler, logger hclog.Logger) http.Handler {
return http.HandlerFunc(func(resp http.ResponseWriter, req *http.Request) { return http.HandlerFunc(func(resp http.ResponseWriter, req *http.Request) {
val := req.Header.Get(contentTypeHeader) val := resp.Header().Get(contentTypeHeader)
if val == "" { if val == "" {
req.Header.Set(contentTypeHeader, plainContentType) resp.Header().Set(contentTypeHeader, plainContentType)
logger.Debug("warning: content-type header not explicitly set.", "request-path", req.URL) logger.Debug("warning: content-type header not explicitly set.", "request-path", req.URL)
} }
next.ServeHTTP(resp, req) next.ServeHTTP(resp, req)
}) })

32
agent/http_test.go
Unescape View File

@ -639,14 +639,14 @@ func TestHTTPAPIResponseHeaders(t *testing.T) {
`) `)
defer a.Shutdown() defer a.Shutdown()
requireHasHeadersSet(t, a, "/v1/agent/self") requireHasHeadersSet(t, a, "/v1/agent/self", "application/json")
// Check the Index page that just renders a simple message with UI disabled // Check the Index page that just renders a simple message with UI disabled
// also gets the right headers. // also gets the right headers.
requireHasHeadersSet(t, a, "/") requireHasHeadersSet(t, a, "/", "text/plain; charset=utf-8")
} }
func requireHasHeadersSet(t *testing.T, a *TestAgent, path string) { func requireHasHeadersSet(t *testing.T, a *TestAgent, path string, contentType string) {
t.Helper() t.Helper()
resp := httptest.NewRecorder() resp := httptest.NewRecorder()
@ -661,6 +661,9 @@ func requireHasHeadersSet(t *testing.T, a *TestAgent, path string) {
require.Equal(t, "1; mode=block", hdrs.Get("X-XSS-Protection"), require.Equal(t, "1; mode=block", hdrs.Get("X-XSS-Protection"),
"X-XSS-Protection header value incorrect") "X-XSS-Protection header value incorrect")
require.Equal(t, contentType, hdrs.Get("Content-Type"),
"")
} }
func TestUIResponseHeaders(t *testing.T) { func TestUIResponseHeaders(t *testing.T) {
@ -680,7 +683,28 @@ func TestUIResponseHeaders(t *testing.T) {
`) `)
defer a.Shutdown() defer a.Shutdown()
requireHasHeadersSet(t, a, "/ui") //response header for the UI appears to be being handled by the UI itself.
requireHasHeadersSet(t, a, "/ui", "text/plain; charset=utf-8")
}
func TestErrorContentTypeHeaderSet(t *testing.T) {
if testing.Short() {
t.Skip("too slow for testing.Short")
}
t.Parallel()
a := NewTestAgent(t, `
http_config {
response_headers = {
"Access-Control-Allow-Origin" = "*"
"X-XSS-Protection" = "1; mode=block"
"X-Frame-Options" = "SAMEORIGIN"
}
}
`)
defer a.Shutdown()
requireHasHeadersSet(t, a, "/fake-path-doesn't-exist", "text/plain; charset=utf-8")
} }
func TestAcceptEncodingGzip(t *testing.T) { func TestAcceptEncodingGzip(t *testing.T) {

Write Preview
Loading…
Cancel
Save