From 20c744321e85ca4b142431ab178531fa1cd96d6b Mon Sep 17 00:00:00 2001 From: Ernest Micklei Date: Tue, 28 Feb 2023 08:39:06 +0100 Subject: [PATCH] introduce MergePathStrategy for #521 #519 --- route_builder.go | 19 ++++++++++++++++++- web_service_test.go | 12 ++++++------ 2 files changed, 24 insertions(+), 7 deletions(-) diff --git a/route_builder.go b/route_builder.go index 830ebf14..85bc41c5 100644 --- a/route_builder.go +++ b/route_builder.go @@ -353,8 +353,25 @@ func (b *RouteBuilder) Build() Route { return route } +type MergePathStrategyFunc func(path1, path2 string) string + +var ( + // behavior 3.10.* + PathJoinStrategy = path.Join + + // behavior <= 3.9 + TrimSlashStrategy = func(path1, path2 string) string { + return strings.TrimRight(path1, "/") + "/" + strings.TrimLeft(path2, "/") + } + + // MergePathStrategy is the active strategy for merging a Route path when building the routing of all WebServices. + // The value is set to TrimSlashStrategy + // PathJoinStrategy is an alternative strategy that is more strict [Security - PRISMA-2022-0227] + MergePathStrategy = TrimSlashStrategy +) + func concatPath(path1, path2 string) string { - return path.Join(path1, path2) + return MergePathStrategy(path1, path2) } var anonymousFuncCount int32 diff --git a/web_service_test.go b/web_service_test.go index d2218169..47a496a9 100644 --- a/web_service_test.go +++ b/web_service_test.go @@ -337,12 +337,12 @@ func TestClientWithAndWithoutTrailingSlash(t *testing.T) { url string wantCode int }{ - // behavior before #520 - // {url: "http://here.com/test", wantCode: 404}, - // {url: "http://here.com/test/", wantCode: 200}, - // current behavior - {url: "http://here.com/test", wantCode: 200}, - {url: "http://here.com/test/", wantCode: 404}, + // TrimSlashStrategy + {url: "http://here.com/test", wantCode: 404}, + {url: "http://here.com/test/", wantCode: 200}, + // PathJoinStrategy + //{url: "http://here.com/test", wantCode: 200}, + //{url: "http://here.com/test/", wantCode: 404}, } { t.Run(tt.url, func(t *testing.T) { httpRequest, _ := http.NewRequest("PUT", tt.url, nil)