Do not follow HTTP redirects.

This commit supersedes PRs #19 and #15, adding tests.
ifad · Jan 29, 2021 · 8e1f2cd · 8e1f2cd
1 parent 6e2751c
commit 8e1f2cd
Show file tree

Hide file tree

Showing 2 changed files with 59 additions and 2 deletions.
diff --git a/src/clammit/forwarder/forwarder.go b/src/clammit/forwarder/forwarder.go
@@ -180,6 +180,10 @@ func (f *Forwarder) forwardRequest(req *http.Request, body io.Reader, contentLen
 		freq.Header.Set("X-Forwarded-For", xff)
 	}
 
+	client.CheckRedirect = func(req *http.Request, via []*http.Request) error {
+		return http.ErrUseLastResponse
+	}
+
 	return client.Do(freq)
 }
 

diff --git a/src/clammit/forwarder/forwarder_test.go b/src/clammit/forwarder/forwarder_test.go
@@ -2,14 +2,18 @@ package forwarder
 
 import (
 	"bytes"
-	"gopkg.in/stretchr/testify.v1/assert"
 	"io"
 	"io/ioutil"
+	"log"
 	"net/http"
 	"net/http/httptest"
 	"net/url"
+	"os"
 	"strings"
 	"testing"
+
+	"github.com/stretchr/testify/require"
+	"gopkg.in/stretchr/testify.v1/assert"
 )
 
 type testResponseWriter struct {
@@ -18,6 +22,10 @@ type testResponseWriter struct {
 	Body       *bytes.Buffer
 }
 
+func emptyBody() io.Reader {
+	return bytes.NewReader([]byte{})
+}
+
 func NewTestResponseWriter() *testResponseWriter {
 	return &testResponseWriter{
 		Headers:    make(http.Header),
@@ -180,7 +188,7 @@ func TestHostForwarding(t *testing.T) {
 	fw.HandleRequest(w, req)
 }
 
-func TestMutliForwarder(t *testing.T) {
+func TestMultiForwarder(t *testing.T) {
 	requestText := "This is a request"
 
 	fw := NewForwarder(nil, 10000, nil)
@@ -234,3 +242,48 @@ func TestMutliForwarder(t *testing.T) {
 	assert.Equal(t, w3.StatusCode, 500)
 	assert.Equal(t, w3.Body.String(), "Internal Server Error\n")
 }
+
+func TestForwardingWithRedirectPOST(t *testing.T) {
+	requestText := "This is a request"
+
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		defer r.Body.Close()
+		w.Header().Add("Location", "https://localhost:12345/foobar")
+		w.WriteHeader(302)
+	}))
+	defer ts.Close()
+	tsURL, _ := url.Parse(ts.URL)
+
+	fw := NewForwarder(tsURL, 10000, nil)
+
+	req, _ := http.NewRequest("POST", "http://localhost:99999/bar?crazy=true", strings.NewReader(requestText))
+	w := NewTestResponseWriter()
+
+	fw.HandleRequest(w, req)
+
+	require.Equal(t, 302, w.StatusCode)
+	assert.Equal(t, "https://localhost:12345/foobar", w.Header().Get("Location"))
+}
+
+func TestForwardingWithRedirectGET(t *testing.T) {
+
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		defer r.Body.Close()
+		w.Header().Add("Location", "https://localhost:12345/foobar")
+		w.WriteHeader(302)
+	}))
+	defer ts.Close()
+	tsURL, _ := url.Parse(ts.URL)
+
+	fw := NewForwarder(tsURL, 10000, nil)
+	fw.SetLogger(log.New(os.Stdout, "", log.Lshortfile), true)
+	req, _ := http.NewRequest("GET", "http://localhost:99999/bar?crazy=true", emptyBody())
+	req.Header.Set("X-Clammit-Backend", tsURL.String())
+
+	w := NewTestResponseWriter()
+
+	fw.HandleRequest(w, req)
+
+	require.Equal(t, 302, w.StatusCode)
+	assert.Equal(t, "https://localhost:12345/foobar", w.Header().Get("Location"))
+}