Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Denial-of-Service at net/url.(*URL).Query by "//%2f" #41153

Closed
dwisiswant0 opened this issue Sep 1, 2020 · 5 comments
Closed

Denial-of-Service at net/url.(*URL).Query by "//%2f" #41153

dwisiswant0 opened this issue Sep 1, 2020 · 5 comments

Comments

@dwisiswant0
Copy link

What version of Go are you using (go version)?

$ go version
go version go1.14.7 linux/amd64

Does this issue reproduce with the latest release?

Yes.

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN="/home/dw1/.go/bin"
GOCACHE="/home/dw1/.cache/go-build"
GOENV="/home/dw1/.config/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/home/dw1/.go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/snap/go/6274"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/snap/go/6274/pkg/tool/linux_amd64"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build141242694=/tmp/go-build -gno-record-gcc-switches"

What did you do?

package main

import (
	"fmt"
	"net/url"
)

func main() {
	raw := "//%2f?id=1"
	prs, _ := url.Parse(raw)
	qry := prs.Query()

	fmt.Println(qry)
}

Initially, I tried to parse query from URLs under several conditions:

String Status
/%2f?id=1 OK
//?id=1 OK
//%2f?id=1 PANIC
///?id=1 OK
///%2f?id=1 OK

What did you expect to see?

map[id:[1]]

What did you see instead?

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x60 pc=0x49a342]

goroutine 1 [running]:
net/url.(*URL).Query(0x0, 0xa)
        /snap/go/6274/src/net/url/url.go:1032 +0x22
main.main()
        /tmp/query-test.go:11 +0x48
exit status 2
@davecheney
Copy link
Contributor

I don’t think we can accept this bug report as your sample does not check the error returned from URL.Parse

@dwisiswant0
Copy link
Author

dwisiswant0 commented Sep 1, 2020

Aight, but from the conditions that I describe, if I check for an error return:
invalid URL escape "%2f"

And still valid for:

String Status
/%2f?id=1 PASSED
//?id=1 PASSED
//%2f?id=1 NOPE
///?id=1 PASSED
///%2f?id=1 PASSED

@davecheney
Copy link
Contributor

Would you be able to rewrite your issue report to include correct error handling. Thank you

@dwisiswant0
Copy link
Author

On it.

@rsc
Copy link
Contributor

rsc commented Sep 1, 2020

url.Parse is working correctly here: https://play.golang.org/p/0rVDegfUUIk.
You may not realize that two leading slashes mark a protocol-relative URL.
The parse error happens because %2f is not a valid host name,
in contrast to "x" and "" (an omitted host name).

@golang golang locked and limited conversation to collaborators Sep 1, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

4 participants