Allow only http and https schemes for --proxy

gravitational · Mar 4, 2022 · 5bf4fdc · 5bf4fdc
1 parent a000f44
commit 5bf4fdc
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 8 deletions.
diff --git a/tool/tctl/common/auth_command.go b/tool/tctl/common/auth_command.go
@@ -740,13 +740,18 @@ func (a *AuthCommand) checkProxyAddr(clusterAPI auth.ClientI) error {
 		// User set --proxy. Validate it and set its scheme to https in case it was omitted.
 		u, err := url.Parse(a.proxyAddr)
 		if err != nil {
-			return trace.WrapWithMessage(err, "Specified --proxy URL is invalid")
+			return trace.WrapWithMessage(err, "specified --proxy URL is invalid")
 		}
-		if u.Scheme == "" {
+		switch u.Scheme {
+		case "":
 			u.Scheme = "https"
+			a.proxyAddr = u.String()
+			return nil
+		case "http", "https":
+			return nil
+		default:
+			return trace.BadParameter("expected --proxy URL with http or https scheme")
 		}
-		a.proxyAddr = u.String()
-		return nil
 	}
 
 	// User didn't specify --proxy for kubeconfig. Let's try to guess it.

diff --git a/tool/tctl/common/auth_command_test.go b/tool/tctl/common/auth_command_test.go
@@ -107,7 +107,7 @@ func TestAuthSignKubeconfig(t *testing.T) {
 		assertErr   require.ErrorAssertionFunc
 	}{
 		{
-			desc: "valid --proxy with URL scheme",
+			desc: "valid --proxy URL with valid URL scheme",
 			ac: AuthCommand{
 				output:        filepath.Join(tmpDir, "kubeconfig"),
 				outputFormat:  identityfile.FormatKubernetes,
@@ -118,7 +118,20 @@ func TestAuthSignKubeconfig(t *testing.T) {
 			assertErr: require.NoError,
 		},
 		{
-			desc: "valid --proxy without URL scheme",
+			desc: "valid --proxy URL with invalid URL scheme",
+			ac: AuthCommand{
+				output:        filepath.Join(tmpDir, "kubeconfig"),
+				outputFormat:  identityfile.FormatKubernetes,
+				signOverwrite: true,
+				proxyAddr:     "file://proxy-from-flag.example.com",
+			},
+			assertErr: func(t require.TestingT, err error, _ ...interface{}) {
+				require.Error(t, err)
+				require.Equal(t, err.Error(), "expected --proxy URL with http or https scheme")
+			},
+		},
+		{
+			desc: "valid --proxy URL without URL scheme",
 			ac: AuthCommand{
 				output:        filepath.Join(tmpDir, "kubeconfig"),
 				outputFormat:  identityfile.FormatKubernetes,
@@ -129,7 +142,7 @@ func TestAuthSignKubeconfig(t *testing.T) {
 			assertErr: require.NoError,
 		},
 		{
-			desc: "invalid --proxy",
+			desc: "invalid --proxy URL",
 			ac: AuthCommand{
 				output:        filepath.Join(tmpDir, "kubeconfig"),
 				outputFormat:  identityfile.FormatKubernetes,
@@ -138,7 +151,7 @@ func TestAuthSignKubeconfig(t *testing.T) {
 			},
 			assertErr: func(t require.TestingT, err error, _ ...interface{}) {
 				require.Error(t, err)
-				require.Contains(t, err.Error(), "Specified --proxy URL is invalid")
+				require.Contains(t, err.Error(), "specified --proxy URL is invalid")
 			},
 		},
 		{