suguo
/
gin-swagger
mirror of https://github.com/swaggo/gin-swagger.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

chore: security improvement (#203)

This commit is contained in:
Bogdan U 2022-04-16 10:34:09 +03:00 committed by GitHub
parent 2ae0634528
commit f844160fb7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 43 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/ci.yml vendored
View File

@ -10,7 +10,7 @@ jobs:
test: test:
strategy: strategy:
matrix: matrix:
go: [ '1.15.x', '1.16.x', '1.17.x' ] go: [ '1.15.x', '1.16.x', '1.17.x', '1.18.x' ]
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@master - uses: actions/checkout@master

5
swagger.go
View File

@ -134,6 +134,11 @@ func CustomWrapHandler(config *Config, handler *webdav.Handler) gin.HandlerFunc
var rexp = regexp.MustCompile(`(.*)(index\.html|doc\.json|favicon-16x16\.png|favicon-32x32\.png|/oauth2-redirect\.html|swagger-ui\.css|swagger-ui\.css\.map|swagger-ui\.js|swagger-ui\.js\.map|swagger-ui-bundle\.js|swagger-ui-bundle\.js\.map|swagger-ui-standalone-preset\.js|swagger-ui-standalone-preset\.js\.map)[\?|.]*`) var rexp = regexp.MustCompile(`(.*)(index\.html|doc\.json|favicon-16x16\.png|favicon-32x32\.png|/oauth2-redirect\.html|swagger-ui\.css|swagger-ui\.css\.map|swagger-ui\.js|swagger-ui\.js\.map|swagger-ui-bundle\.js|swagger-ui-bundle\.js\.map|swagger-ui-standalone-preset\.js|swagger-ui-standalone-preset\.js\.map)[\?|.]*`)
return func(c *gin.Context) { return func(c *gin.Context) {
if c.Request.Method != http.MethodGet {
c.AbortWithStatus(http.StatusMethodNotAllowed)
return
}
matches := rexp.FindStringSubmatch(c.Request.RequestURI) matches := rexp.FindStringSubmatch(c.Request.RequestURI)
if len(matches) != 3 { if len(matches) != 3 {

87
swagger_test.go
View File

@ -1,6 +1,7 @@
package ginSwagger package ginSwagger
import ( import (
"net/http"
"net/http/httptest" "net/http/httptest"
"os" "os"
"testing" "testing"
@ -26,43 +27,44 @@ func TestWrapHandler(t *testing.T) {
router.GET("/*any", WrapHandler(swaggerFiles.Handler, URL("https://github.com/swaggo/gin-swagger"))) router.GET("/*any", WrapHandler(swaggerFiles.Handler, URL("https://github.com/swaggo/gin-swagger")))
w1 := performRequest("GET", "/index.html", router) assert.Equal(t, http.StatusOK, performRequest("GET", "/index.html", router).Code)
assert.Equal(t, 200, w1.Code)
} }
func TestWrapCustomHandler(t *testing.T) { func TestWrapCustomHandler(t *testing.T) {
gin.SetMode(gin.TestMode) gin.SetMode(gin.TestMode)
router := gin.New() router := gin.New()
router.GET("/*any", CustomWrapHandler(&Config{}, swaggerFiles.Handler)) router.Any("/*any", CustomWrapHandler(&Config{}, swaggerFiles.Handler))
w1 := performRequest("GET", "/index.html", router) w1 := performRequest(http.MethodGet, "/index.html", router)
assert.Equal(t, 200, w1.Code) assert.Equal(t, http.StatusOK, w1.Code)
assert.Equal(t, w1.Header()["Content-Type"][0], "text/html; charset=utf-8") assert.Equal(t, w1.Header()["Content-Type"][0], "text/html; charset=utf-8")
w2 := performRequest("GET", "/doc.json", router) assert.Equal(t, http.StatusInternalServerError, performRequest(http.MethodGet, "/doc.json", router).Code)
assert.Equal(t, 500, w2.Code)
swag.Register(swag.Name, &mockedSwag{}) swag.Register(swag.Name, &mockedSwag{})
w2 = performRequest("GET", "/doc.json", router) w2 := performRequest(http.MethodGet, "/doc.json", router)
assert.Equal(t, 200, w2.Code) assert.Equal(t, http.StatusOK, w2.Code)
assert.Equal(t, w2.Header()["Content-Type"][0], "application/json; charset=utf-8")
w3 := performRequest("GET", "/favicon-16x16.png", router) w3 := performRequest(http.MethodGet, "/favicon-16x16.png", router)
assert.Equal(t, 200, w3.Code) assert.Equal(t, http.StatusOK, w3.Code)
assert.Equal(t, w3.Header()["Content-Type"][0], "image/png") assert.Equal(t, w3.Header()["Content-Type"][0], "image/png")
w4 := performRequest("GET", "/swagger-ui.css", router) w4 := performRequest(http.MethodGet, "/swagger-ui.css", router)
assert.Equal(t, 200, w4.Code) assert.Equal(t, http.StatusOK, w4.Code)
assert.Equal(t, w4.Header()["Content-Type"][0], "text/css; charset=utf-8") assert.Equal(t, w4.Header()["Content-Type"][0], "text/css; charset=utf-8")
w5 := performRequest("GET", "/swagger-ui-bundle.js", router) w5 := performRequest(http.MethodGet, "/swagger-ui-bundle.js", router)
assert.Equal(t, 200, w5.Code) assert.Equal(t, http.StatusOK, w5.Code)
assert.Equal(t, w5.Header()["Content-Type"][0], "application/javascript") assert.Equal(t, w5.Header()["Content-Type"][0], "application/javascript")
w6 := performRequest("GET", "/notfound", router) assert.Equal(t, http.StatusNotFound, performRequest(http.MethodGet, "/notfound", router).Code)
assert.Equal(t, 404, w6.Code)
assert.Equal(t, http.StatusMethodNotAllowed, performRequest(http.MethodPost, "/index.html", router).Code)
assert.Equal(t, http.StatusMethodNotAllowed, performRequest(http.MethodPut, "/index.html", router).Code)
} }
func TestDisablingWrapHandler(t *testing.T) { func TestDisablingWrapHandler(t *testing.T) {
@ -73,33 +75,20 @@ func TestDisablingWrapHandler(t *testing.T) {
router.GET("/simple/*any", DisablingWrapHandler(swaggerFiles.Handler, disablingKey)) router.GET("/simple/*any", DisablingWrapHandler(swaggerFiles.Handler, disablingKey))
w1 := performRequest("GET", "/simple/index.html", router) assert.Equal(t, http.StatusOK, performRequest(http.MethodGet, "/simple/index.html", router).Code)
assert.Equal(t, 200, w1.Code) assert.Equal(t, http.StatusOK, performRequest(http.MethodGet, "/simple/doc.json", router).Code)
w2 := performRequest("GET", "/simple/doc.json", router) assert.Equal(t, http.StatusOK, performRequest(http.MethodGet, "/simple/favicon-16x16.png", router).Code)
assert.Equal(t, 200, w2.Code) assert.Equal(t, http.StatusNotFound, performRequest(http.MethodGet, "/simple/notfound", router).Code)
w3 := performRequest("GET", "/simple/favicon-16x16.png", router)
assert.Equal(t, 200, w3.Code)
w4 := performRequest("GET", "/simple/notfound", router)
assert.Equal(t, 404, w4.Code)
_ = os.Setenv(disablingKey, "true") _ = os.Setenv(disablingKey, "true")
router.GET("/disabling/*any", DisablingWrapHandler(swaggerFiles.Handler, disablingKey)) router.GET("/disabling/*any", DisablingWrapHandler(swaggerFiles.Handler, disablingKey))
w11 := performRequest("GET", "/disabling/index.html", router) assert.Equal(t, 404, performRequest(http.MethodGet, "/disabling/index.html", router).Code)
assert.Equal(t, 404, w11.Code) assert.Equal(t, 404, performRequest(http.MethodGet, "/disabling/doc.json", router).Code)
assert.Equal(t, 404, performRequest(http.MethodGet, "/disabling/oauth2-redirect.html", router).Code)
w22 := performRequest("GET", "/disabling/doc.json", router) assert.Equal(t, 404, performRequest(http.MethodGet, "/disabling/notfound", router).Code)
assert.Equal(t, 404, w22.Code)
w44 := performRequest("GET", "/disabling/oauth2-redirect.html", router)
assert.Equal(t, 404, w44.Code)
w55 := performRequest("GET", "/disabling/notfound", router)
assert.Equal(t, 404, w55.Code)
} }
func TestDisablingCustomWrapHandler(t *testing.T) { func TestDisablingCustomWrapHandler(t *testing.T) {
@ -110,15 +99,13 @@ func TestDisablingCustomWrapHandler(t *testing.T) {
router.GET("/simple/*any", DisablingCustomWrapHandler(&Config{}, swaggerFiles.Handler, disablingKey)) router.GET("/simple/*any", DisablingCustomWrapHandler(&Config{}, swaggerFiles.Handler, disablingKey))
w1 := performRequest("GET", "/simple/index.html", router) assert.Equal(t, http.StatusOK, performRequest(http.MethodGet, "/simple/index.html", router).Code)
assert.Equal(t, 200, w1.Code)
_ = os.Setenv(disablingKey, "true") _ = os.Setenv(disablingKey, "true")
router.GET("/disabling/*any", DisablingCustomWrapHandler(&Config{}, swaggerFiles.Handler, disablingKey)) router.GET("/disabling/*any", DisablingCustomWrapHandler(&Config{}, swaggerFiles.Handler, disablingKey))
w11 := performRequest("GET", "/disabling/index.html", router) assert.Equal(t, http.StatusNotFound, performRequest(http.MethodGet, "/disabling/index.html", router).Code)
assert.Equal(t, 404, w11.Code)
} }
func TestWithGzipMiddleware(t *testing.T) { func TestWithGzipMiddleware(t *testing.T) {
@ -129,20 +116,20 @@ func TestWithGzipMiddleware(t *testing.T) {
router.GET("/*any", WrapHandler(swaggerFiles.Handler)) router.GET("/*any", WrapHandler(swaggerFiles.Handler))
w1 := performRequest("GET", "/index.html", router) w1 := performRequest(http.MethodGet, "/index.html", router)
assert.Equal(t, 200, w1.Code) assert.Equal(t, http.StatusOK, w1.Code)
assert.Equal(t, w1.Header()["Content-Type"][0], "text/html; charset=utf-8") assert.Equal(t, w1.Header()["Content-Type"][0], "text/html; charset=utf-8")
w2 := performRequest("GET", "/swagger-ui.css", router) w2 := performRequest(http.MethodGet, "/swagger-ui.css", router)
assert.Equal(t, 200, w2.Code) assert.Equal(t, http.StatusOK, w2.Code)
assert.Equal(t, w2.Header()["Content-Type"][0], "text/css; charset=utf-8") assert.Equal(t, w2.Header()["Content-Type"][0], "text/css; charset=utf-8")
w3 := performRequest("GET", "/swagger-ui-bundle.js", router) w3 := performRequest(http.MethodGet, "/swagger-ui-bundle.js", router)
assert.Equal(t, 200, w3.Code) assert.Equal(t, http.StatusOK, w3.Code)
assert.Equal(t, w3.Header()["Content-Type"][0], "application/javascript") assert.Equal(t, w3.Header()["Content-Type"][0], "application/javascript")
w4 := performRequest("GET", "/doc.json", router) w4 := performRequest(http.MethodGet, "/doc.json", router)
assert.Equal(t, 200, w4.Code) assert.Equal(t, http.StatusOK, w4.Code)
assert.Equal(t, w4.Header()["Content-Type"][0], "application/json; charset=utf-8") assert.Equal(t, w4.Header()["Content-Type"][0], "application/json; charset=utf-8")
} }