Skip to content

Commit

Permalink
fix: security improvement (#62)
Browse files Browse the repository at this point in the history
  • Loading branch information
ubogdan authored Apr 16, 2022
1 parent 25e73d2 commit b7d83e8
Show file tree
Hide file tree
Showing 3 changed files with 23 additions and 18 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ jobs:
test:
strategy:
matrix:
go: [ '1.15.x', '1.16.x', '1.17.x' ]
go: [ '1.15.x', '1.16.x', '1.17.x', '1.18.x' ]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
Expand Down
6 changes: 5 additions & 1 deletion swagger.go
Original file line number Diff line number Diff line change
Expand Up @@ -122,6 +122,10 @@ func Handler(configFns ...func(*Config)) http.HandlerFunc {
var re = regexp.MustCompile(`^(.*/)([^?].*)?[?|.]*$`)

return func(w http.ResponseWriter, r *http.Request) {
if r.Method != http.MethodGet {
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
return
}
matches := re.FindStringSubmatch(r.RequestURI)
path := matches[2]

Expand Down Expand Up @@ -155,7 +159,7 @@ func Handler(configFns ...func(*Config)) http.HandlerFunc {
}
_, _ = w.Write([]byte(doc))
case "":
http.Redirect(w, r, h.Prefix+"index.html", 301)
http.Redirect(w, r, h.Prefix+"index.html", http.StatusMovedPermanently)
default:
h.ServeHTTP(w, r)
}
Expand Down
33 changes: 17 additions & 16 deletions swagger_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -43,35 +43,36 @@ func TestWrapHandler(t *testing.T) {

router.Handle("/", Handler(DocExpansion("none"), DomID("#swagger-ui")))

w1 := performRequest("GET", "/index.html", router)
assert.Equal(t, 200, w1.Code)
w1 := performRequest(http.MethodGet, "/index.html", router)
assert.Equal(t, http.StatusOK, w1.Code)
assert.Equal(t, w1.Header()["Content-Type"][0], "text/html; charset=utf-8")

w2 := performRequest("GET", "/doc.json", router)
assert.Equal(t, 500, w2.Code)
assert.Equal(t, http.StatusInternalServerError, performRequest(http.MethodGet, "/doc.json", router).Code)

swag.Register(swag.Name, &mockedSwag{})
w2 = performRequest("GET", "/doc.json", router)
assert.Equal(t, 200, w2.Code)
w2 := performRequest(http.MethodGet, "/doc.json", router)
assert.Equal(t, http.StatusOK, w2.Code)
assert.Equal(t, "application/json; charset=utf-8", w2.Header().Get("content-type"))

w3 := performRequest("GET", "/favicon-16x16.png", router)
assert.Equal(t, 200, w3.Code)
w3 := performRequest(http.MethodGet, "/favicon-16x16.png", router)
assert.Equal(t, http.StatusOK, w3.Code)
assert.Equal(t, w3.Header()["Content-Type"][0], "image/png")

w4 := performRequest("GET", "/swagger-ui.css", router)
assert.Equal(t, 200, w4.Code)
w4 := performRequest(http.MethodGet, "/swagger-ui.css", router)
assert.Equal(t, http.StatusOK, w4.Code)
assert.Equal(t, w4.Header()["Content-Type"][0], "text/css; charset=utf-8")

w5 := performRequest("GET", "/swagger-ui-bundle.js", router)
assert.Equal(t, 200, w5.Code)
w5 := performRequest(http.MethodGet, "/swagger-ui-bundle.js", router)
assert.Equal(t, http.StatusOK, w5.Code)
assert.Equal(t, w5.Header()["Content-Type"][0], "application/javascript")

w6 := performRequest("GET", "/notfound", router)
assert.Equal(t, 404, w6.Code)
assert.Equal(t, http.StatusNotFound, performRequest(http.MethodGet, "/notfound", router).Code)

w7 := performRequest("GET", "/", router)
assert.Equal(t, 301, w7.Code)
assert.Equal(t, 301, performRequest(http.MethodGet, "/", router).Code)

assert.Equal(t, http.StatusMethodNotAllowed, performRequest(http.MethodPost, "/swagger/index.html", router).Code)

assert.Equal(t, http.StatusMethodNotAllowed, performRequest(http.MethodPut, "/swagger/index.html", router).Code)
}

func performRequest(method, target string, h http.Handler) *httptest.ResponseRecorder {
Expand Down

0 comments on commit b7d83e8

Please sign in to comment.