From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Thu, 23 Jan 2020 14:21:24 +0000 (+0100)
Subject: dnsdist: Don't accept sub-paths of configured DoH URLs
X-Git-Tag: auth-4.3.0-beta2~19^2~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=767fbba32f707b86f94a775ddecad16226c6d8e5;p=thirdparty%2Fpdns.git

dnsdist: Don't accept sub-paths of configured DoH URLs
---

diff --git a/pdns/dnsdistdist/doh.cc b/pdns/dnsdistdist/doh.cc
index 9b29e650b8..f45ae902c9 100644
--- a/pdns/dnsdistdist/doh.cc
+++ b/pdns/dnsdistdist/doh.cc
@@ -199,6 +199,7 @@ struct DOHServerConfig
   }
 
   LocalHolders holders;
+  std::unordered_set<std::string> paths;
   h2o_globalconf_t h2o_config;
   h2o_context_t h2o_ctx;
   DOHAcceptContext* accept_ctx{nullptr};
@@ -687,6 +688,12 @@ try
 
   string path(req->path.base, req->path.len);
 
+  string pathOnly(req->path_normalized.base, req->path_normalized.len);
+  if (dsc->paths.count(pathOnly) == 0) {
+    h2o_send_error_404(req, "Not Found", "there is no endpoint configured for this path", 0);
+    return 0;
+  }
+
   for (const auto& entry : dsc->df->d_responsesMap) {
     if (entry->matches(path)) {
       const auto& customHeaders = entry->getHeaders();
@@ -1195,6 +1202,7 @@ try
 
   for(const auto& url : df->d_urls) {
     register_handler(hostconf, url.c_str(), doh_handler);
+    dsc->paths.insert(url);
   }
 
   h2o_context_init(&dsc->h2o_ctx, h2o_evloop_create(), &dsc->h2o_config);
diff --git a/regression-tests.dnsdist/test_DOH.py b/regression-tests.dnsdist/test_DOH.py
index bb27fde286..80cc0a294c 100644
--- a/regression-tests.dnsdist/test_DOH.py
+++ b/regression-tests.dnsdist/test_DOH.py
@@ -166,7 +166,7 @@ class TestDOH(DNSDistDOHTest):
     _config_template = """
     newServer{address="127.0.0.1:%s"}
 
-    addDOHLocal("127.0.0.1:%s", "%s", "%s", { "/" }, {customResponseHeaders={["access-control-allow-origin"]="*",["user-agent"]="derp",["UPPERCASE"]="VaLuE"}})
+    addDOHLocal("127.0.0.1:%s", "%s", "%s", { "/", "/coffee", "/PowerDNS", "/PowerDNS2", "/PowerDNS-999" }, {customResponseHeaders={["access-control-allow-origin"]="*",["user-agent"]="derp",["UPPERCASE"]="VaLuE"}})
     dohFE = getDOHFrontend(0)
     dohFE:setResponsesMap({newDOHResponseMapEntry('^/coffee$', 418, 'C0FFEE', {['FoO']='bar'})})
 
@@ -505,6 +505,12 @@ class TestDOH(DNSDistDOHTest):
         self.checkQueryEDNSWithoutECS(expectedQuery, receivedQuery)
         self.assertEquals(response, receivedResponse)
 
+        # this path is not in the URLs map and should lead to a 404
+        (_, receivedResponse) = self.sendDOHQuery(self._dohServerPort, self._serverName, self._dohBaseURL + "PowerDNS/something", query, caFile=self._caCert, useQueue=False, rawResponse=True)
+        self.assertTrue(receivedResponse)
+        self.assertEquals(receivedResponse, b'there is no endpoint configured for this path')
+        self.assertEquals(self._rcode, 404)
+
     def testHTTPPathRegex(self):
         """
         DOH: HTTPPathRegex