Merge pull request #3685 from filipochnik/abs-path

Prevent absolute URLs in checks paths
hashicorp · Jan 4, 2018 · 39e08eb · 39e08eb
2 parents 12ce2c9 + d234641
commit 39e08eb
Show file tree

Hide file tree

Showing 3 changed files with 41 additions and 1 deletion.
diff --git a/nomad/structs/structs.go b/nomad/structs/structs.go
@@ -12,6 +12,7 @@ import (
 	"fmt"
 	"io"
 	"net"
+	"net/url"
 	"os"
 	"path/filepath"
 	"reflect"
@@ -2937,6 +2938,13 @@ func (sc *ServiceCheck) validate() error {
 		if sc.Path == "" {
 			return fmt.Errorf("http type must have a valid http path")
 		}
+		url, err := url.Parse(sc.Path)
+		if err != nil {
+			return fmt.Errorf("http type must have a valid http path")
+		}
+		if url.IsAbs() {
+			return fmt.Errorf("http type must have a relative http path")
+		}
 
 	case ServiceCheckScript:
 		if sc.Command == "" {

diff --git a/nomad/structs/structs_test.go b/nomad/structs/structs_test.go
@@ -1230,6 +1230,37 @@ func TestTask_Validate_Service_Check(t *testing.T) {
 	if err != nil {
 		t.Fatalf("err: %v", err)
 	}
+
+	check2 := ServiceCheck{
+		Name:     "check-name-2",
+		Type:     ServiceCheckHTTP,
+		Interval: 10 * time.Second,
+		Timeout:  2 * time.Second,
+		Path:     "/foo/bar",
+	}
+
+	err = check2.validate()
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	check2.Path = ""
+	err = check2.validate()
+	if err == nil {
+		t.Fatal("Expected an error")
+	}
+	if !strings.Contains(err.Error(), "valid http path") {
+		t.Fatalf("err: %v", err)
+	}
+
+	check2.Path = "http://www.example.com"
+	err = check2.validate()
+	if err == nil {
+		t.Fatal("Expected an error")
+	}
+	if !strings.Contains(err.Error(), "relative http path") {
+		t.Fatalf("err: %v", err)
+	}
 }
 
 // TestTask_Validate_Service_Check_AddressMode asserts that checks do not

diff --git a/website/source/api/json-jobs.html.md b/website/source/api/json-jobs.html.md
@@ -412,7 +412,8 @@ The `Task` object supports the following keys:
          - `Path`: The path of the HTTP endpoint which Consul will query to query
            the health of a service if the type of the check is `http`. Nomad
            will add the IP of the service and the port, users are only required
-           to add the relative URL of the health check endpoint.
+           to add the relative URL of the health check endpoint. Absolute paths
+           are not allowed.
 
          - `Protocol`: This indicates the protocol for the HTTP checks. Valid
            options are `http` and `https`. We default it to `http`.