1
0
mirror of https://github.com/labstack/echo.git synced 2025-01-10 00:28:23 +02:00
Commit Graph

447 Commits

Author SHA1 Message Date
Shubhendra Singh Chauhan
6a666acd5c
improve code quality (#1792)
* Merge variable declaration with assignment
* Fix unnecessary typecasting on `bytes.Buffer`
* Remove unnecessary wrapping of function call
2021-02-26 12:04:34 +02:00
Martti T
f09f2bd14e
Fix open redirect vulnerability with AddTrailingSlashWithConfig and RemoveTrailingSlashWithConfig (#1775,#1771)
* fix open redirect vulnerability with AddTrailingSlashWithConfig and RemoveTrailingSlashWithConfig (fix #1771)
* rename trimMultipleSlashes to sanitizeURI
2021-02-11 14:53:22 +01:00
Roland Lammel
932976ded6
Support real regex rules for rewrite and proxy middleware (#1767)
Support real regex rules for rewrite and proxy middleware (use non-greedy matching by default)

Co-authored-by: pwli <lipw0755@gmail.com>
2021-02-08 16:58:55 +02:00
Benjamin Chibuzor-Orie
7c8592a7e0
adds middleware for rate limiting (#1724)
* adds middleware for rate limiting

* added comment for InMemoryStore ShouldAllow

* removed redundant mutex declaration

* fixed lint issues

* removed sleep from tests

* improved coverage

* refactor: renames Identifiers, includes default SourceFunc

* Added last seen stats for visitor

* uses http Constants for improved readdability
adds default error handler

* used other handler apart from default handler to mark custom error handler for rate limiting

* split tests into separate blocks
added an error pair to IdentifierExtractor
Includes deny handler for explicitly denying requests

* adds comments for exported members Extractor and ErrorHandler

* makes cleanup implementation inhouse

* Avoid race for cleanup due to non-atomic access to store.expiresIn

* Use a dedicated producer for rate testing

* tidy commit

* refactors tests, implicitly tests lastSeen property on visitor
switches NewRateLimiterMemoryStore constructor to Referential Functions style (Advised by @pafuent)

* switches to mock of time module for time based tests
tests are now fully deterministic

* improved coverage

* replaces Rob Pike referential options with more conventional struct configs
makes cleanup asynchronous

* blocks racy access to lastCleanup

* Add benchmark tests for rate limiter

* Add rate limiter with sharded memory store

* Racy access to store.lastCleanup eliminated
Merges in shiny sharded map implementation by @lammel

* Remove RateLimiterShradedMemoryStore for now

* Make fields for RateLimiterStoreConfig public for external configuration

* Improve docs for RateLimiter usage

* Fix ErrorHandler vs. DenyHandler usage for rate limiter

* Simplify NewRateLimiterMemoryStore

* improved coverage

* updated errorHandler and denyHandler to use echo.HTTPError

* Improve wording for error and comments

* Remove duplicate lastSeen marking for Allow

* Improve wording for comments

* Add disclaimer on perf characteristics of memory store

* changes Allow signature on rate limiter to return err too

Co-authored-by: Roland Lammel <rl@neotel.at>
2021-01-15 17:53:15 -03:00
Ilija Matoski
67263b5e45
Timeout middleware implementation for go1.13+ (#1743)
Co-authored-by: Ilija Matoski <imatoski@schubergphilis.com>
2021-01-05 11:14:51 +01:00
Roland Lammel
c7c792d3bd Fix CSRF tests for Go 1.12 2021-01-03 01:45:58 +01:00
Roland Lammel
36f524ede8 Merge branch 'master' of github.com:labstack/echo 2021-01-03 01:20:24 +01:00
Roland Lammel
4310e90d58 Support Go 1.12 for http.SameSiteNoneMode 2021-01-03 01:09:18 +01:00
Roland Lammel
716eb18329
Handle static routes with trailing slash (#1747)
- Fix Static file route not working without trailing slash
- Add tests for static middleware with/without trailing slash
- Add tests for static middleware under group

Co-authored-by: pwli <lipw0755@gmail.com>
2021-01-03 00:25:29 +01:00
toimtoimtoim
21f7787202 refactor static middleware tests not to use previous case state 2020-12-29 23:54:29 +02:00
Vadim Sabirov
08073575f8 Merge branch 'master' of https://github.com/labstack/echo 2020-12-18 14:39:23 +03:00
Roland Lammel
4422e3b66b
Merge pull request #1718 from little-cui/master
Fix static directory traversal security vulnerability for Windows
2020-12-15 16:31:52 +01:00
little-cui
1beaf09740 Bug Fix: Directory Traversal 2020-12-15 21:54:11 +08:00
iambenkay
1c720597bb adds test for request id
- remain unchanged if provided
2020-12-14 19:06:25 +01:00
Vadim Sabirov
53b38de143 Merge branch 'master' of https://github.com/labstack/echo 2020-12-11 12:34:52 +03:00
Roland Lammel
194129d070
Merge pull request #1699 from pafuent/improve_decompress_middleware
Adding sync.Pool to Decompress middleware
2020-12-11 10:09:41 +01:00
Roland Lammel
6a266b8539
Merge pull request #1704 from rkfg/jwt-form
Support form fields in jwt middleware
2020-12-06 15:42:52 +01:00
Vadim Sabirov
dc147d9b97 Fix #1523 by adding secure cookie if SameSite mode is None 2020-12-03 10:21:31 +03:00
Vadim Sabirov
cb15226984 Merge branch 'master' of https://github.com/labstack/echo 2020-12-03 09:43:47 +03:00
Nenad Lukic
571661692f Uses filepath.Join instead of hardcoded separator for static middleware test 2020-12-01 09:03:00 +01:00
rkfg
2152e4e872 Support form fields in jwt middleware 2020-12-01 09:51:20 +03:00
Nenad Lukic
3206527cfe Adds IgnoreBase parameter to static middleware
Adds IgnoreBase parameter to static middleware to support the use case of nested route groups
2020-11-30 19:06:00 +01:00
Pablo Andres Fuente
2386e17b21 Increasing Decompress Middleware coverage 2020-11-28 02:03:54 +00:00
Pablo Andres Fuente
14e020bc07 Adding sync.Pool to Decompress middleware
Fixing a http.Request.Body leak on the decompress middleware that were
not properly Close
Removing the defer on the call to gzip.Reader, because that reader is
already exausted after the call to io.Copy
2020-11-27 03:01:04 +00:00
Pierre Rousset
e6f24aa8b1 Addressed PR feedback 2020-11-24 16:25:49 +09:00
Pierre Rousset
26ab188922 CORS: add an optional custom function to validate the origin 2020-11-24 16:24:17 +09:00
Roland Lammel
90bef88e1a
Merge pull request #1669 from ulasakdeniz/fix-incorrect-cors-headers
Fix empty/incorrect CORS headers
2020-11-20 11:54:01 +01:00
Arun Gopalpuri
b47042f385 adding decompress gzipped request middleware 2020-11-20 00:51:24 -08:00
Pablo Andres Fuente
ac54e132e4 Adding sync.Pool to Compress Middleware
Adding a sync.Pool for the *gzip.Writer reduces the allocations of the
Compress middleware in 50% and gives an increase on execution speed of
a 85%
This fix #1643
2020-11-07 03:52:35 +00:00
Ulas Akdeniz
871ed9c68d Fix incorrect CORS headers
- Fix empty Access-Control-Allow-Origin
- Set CORS headers only if request Origin is existing and allowed
- Increase middleware test coverage
2020-11-06 03:10:16 +01:00
Arun Gopalpuri
f6dfcbe774 bugfix proxy and rewrite, updated test with actual call settings 2020-09-16 19:29:22 -07:00
yonbiaoxiao
5c5c83d290 change the hardcode for http constant 2020-09-14 10:23:54 +08:00
Roland Lammel
28ec3f7bdb
Merge pull request #1627 from juanbelieni/master
Create ErrJWTInvalid to allow modify error when JWT is invalid
2020-09-01 16:10:16 +02:00
Roland Lammel
2d79ff3d6c
Merge pull request #1628 from arun0009/master
set raw path and path in proxy, so url.EscapePath uses raw path
2020-09-01 16:03:30 +02:00
Roland Lammel
cf2fcad01b
Merge pull request #1588 from choyri/bugfix/rewrite
Fixes the uses of caret(^) in rewrite regex
2020-09-01 13:22:01 +02:00
Roland Lammel
bcb316500e
Merge pull request #1623 from KlotzAndrew/cors_regex
cors allow regex pattern
2020-09-01 13:20:23 +02:00
Arun Gopalpuri
1a6ec73e57 using url.EscapedPath instead of custom GetPath, rewritePath func added to middleware - used by proxy and rewrite 2020-08-31 13:09:24 -07:00
Peter C
6463bcb190
added ModifyResponse option to ProxyConfig (#1622)
Co-authored-by: Peter C <petoc@users.noreply.github.com>
2020-08-27 17:51:27 -07:00
Juan Belieni
09f36b585d Create ErrJWTInvalid variable 2020-08-27 19:35:45 -03:00
Andrew Klotz
9a28fb8608
cors allow regex pattern
enable cors to use regex pattern for allowed origins

implementation is similar to another popular cors
middleware: https://github.com/astaxie/beego/blob/master/plugins/cors/cors.go#L196-L201
2020-08-19 03:17:12 +00:00
Shinnosuke Sawada
8dd25c39ce
make gzipResponseWriter implement http.Pusher (#1615) 2020-08-03 17:58:08 -07:00
chotow
3dbd5dcf6e
Fixes the uses of caret(^) at the beginning of the rewrite regex 2020-07-24 23:37:01 +08:00
chotow
68e8bce645
Revert "Fixes the uses of caret(^) in rewrite regex"
This reverts commit 1f51469436e3612e8e121413df905dc9f4ffed0b.
2020-07-24 23:37:01 +08:00
chotow
84da507a2e
Fixes the uses of caret(^) in rewrite regex 2020-07-24 23:37:01 +08:00
Masahiro Furudate
e125b2cf84
Fix recover print stack trace log level (#1604)
* Fix recover print stack trace log level

* Add recover log level test

* Add default LogLevel to DefaultRecoverConfig
2020-07-06 07:59:42 -07:00
Arun Gopalpuri
2207c37bf8
use echo.GetPath for rewrite in proxy (#1548)
Co-authored-by: Arun Gopalpuri <arun@gopalpuri.com>
2020-04-08 08:19:22 -07:00
178inaba
269dfcc9dd
Set maxParam with SetParamNames (#1535)
* Set maxParam with SetParamNames

Fixes #1492

* Revert go.mod
2020-03-30 12:28:07 -07:00
Leaf
542835808e
Quote regex meta characters in Rewrite (#1541)
Currently there is a half and half situation where the user can't use regex (fully) because * will be replaced with (.*), yet they also can't just enter any old string, because meta chars like . would need escaping.

e.g. currently *.html wouldn't work as intended, and instead *\.html should be used.

Work around this by using regexp's QuoteMeta function to sanitise the input before handling it.
2020-03-28 17:12:39 -07:00
Vadim Sabirov
8b2c77b107 Fix #1523 by adding SameSite mode for CSRF settings 2020-03-04 18:14:23 +03:00
Shinichi TAMURA
7c5af01350
Safer/trustable extraction of real ip from request (#1478)
* Safer/trustable extraction of real ip from request

* Fix x-real-ip handling on proxy

* fix docs

* fix default check
2020-02-24 08:29:34 -08:00
Dmitry Kutakov
712b5e46c5 format code (gofmt + trim trailing space) (#1452) 2020-01-25 09:48:53 -08:00
J. David Lowe
8d7f05e533 round-trip paramValues without exploding (#1463) 2020-01-23 18:32:17 -08:00
Shin Ohno
8b7220f97c Fixed comment typo in BodyDump (#1431) 2019-10-30 17:34:27 -07:00
Vishal Rana
d286e285dc Bumped v4.1.11
Signed-off-by: Vishal Rana <vr@labstack.com>
2019-10-06 17:01:28 -07:00
Vishal Rana
05262e484a Capture proxy middleware error
Signed-off-by: Vishal Rana <vr@labstack.com>
2019-10-06 16:56:21 -07:00
Hylke Visser
87da9a948b Add ReferrerPolicy to Secure middleware (#1363) 2019-08-01 15:27:09 -07:00
nattawitc
8cfaf50b8f fix #1260 change middleware.Logger's default output (#1336)
* fix TestLoggerIPAddress reverse assertion

* change middleware.Logger default output

* remove nil field declaration
2019-07-17 21:34:31 -07:00
Tom Scholz
31361576e8 feat: Add a new ErrorHandlerWithContext (#1328)
* feat: Add a new ErrorHandlerWithContext

This commit adds a new error handler, which is passed the 
current context, so that you can add custom redirects or even
other kinds of responses. For example:

```go
	e.Use(middleware.JWTWithConfig(middleware.JWTConfig{
		SigningKey: []byte("secret"),
		TokenLookup: "query:token",
		ErrorHandlerWithContext: func(err error, c echo.Context) error {
			// do stuff with context and err
			switch err.(type) {
			case jwt.ValidationError:
				return c.Redirect(http.StatusSeeOther, "/login")
			}
			return err
		},
	}))
```

* chore: address golint issues
2019-06-13 13:21:03 -07:00
ozburo
6b9408d1d1 Added param:<name> lookup option to JWT Middleware (#1296)
* Added  lookup option to JWT Middleware

* Added param:<name> lookup option to JWT Middleware
2019-06-09 09:49:52 -07:00
Vishal Rana
842fc8772f Fixed #1323
Signed-off-by: Vishal Rana <vr@labstack.com>
2019-06-09 09:37:21 -07:00
Das Jott
e2671fe963 Provide possibility to use key ids (#1289)
* provide possibility to use key ids
* kid tests
2019-05-17 07:45:49 -07:00
Vishal Rana
4de244c072 Fixed invalid json value for error in logger middleware
Signed-off-by: Vishal Rana <vr@labstack.com>
2019-04-29 13:21:11 -07:00
Vishal Rana
e53d9c516f Updated deps and fixed a typo
Signed-off-by: Vishal Rana <vr@labstack.com>
2019-04-27 22:32:29 -07:00
Hylke Visser
69bd47b35f Fix flushing in Gzip middleware (#1317)
* Make Gzip response Writer also call Flush of underlying Writer
* Add unit test for chunked responses with Gzip
2019-04-16 15:52:06 -05:00
atsushi-ishibashi
1f6cc362cc Set subdomains to AllowOrigins with wildcard (#1301)
* Set subdomains to AllowOrigins with wildcard

* Create IsSubDomain

* Avoid panic when pattern length smaller than domain length

* Change names, improve formula
2019-03-09 10:32:49 -08:00
Helen Hood
5434a5392f Enable adding preload tag to HSTS header (#1247) 2019-03-06 10:22:19 -08:00
Hemachandar
775b2eefec Refactor DefaultProxyConfig Skipper & WebSocket Check in Context (#1297)
* refactor: default to DefaultProxyConfig.Skipper if not provided

* refactor: use strings library for websocket check
2019-03-02 10:43:23 -08:00
Kumar Harsh
802fb5bba6 feat(secure): support Content-Security-Policy-Report-Only header (#1287)
Closes #1283
2019-02-26 22:32:07 -08:00
Ronald Bell
5aec1b234f www redirects are too broad (#1274) 2019-02-15 09:56:58 -08:00
Evgeniy Kulikov
88965757af Simplify code of Add/Remove trailing slash and fix bug (#1275)
* Simplify code of Add/Remove trailing slash

- simplify code (more informative / understanding)
- assert collides with imported package name (in tests)
- fix unhandled errors

* add tests for https://github.com/labstack/echo/pull/1275#issuecomment-460467700
2019-02-07 09:49:51 -08:00
Alex Ungur
6d9e043284 Introduced Go module support as v4, removed obsolete CloseNotifier() mechanism
This reintroduces support for Go modules, as v4.

CloseNotifier() is removed as it has been obsoleted, see https://golang.org/doc/go1.11#net/http

It was already NOT working (not sending signals) as of 1.11 the functionality was gone, we merely
deleted the functions that exposed it. If anyone still relies on it they should migrate to using
`c.Request().Context().Done()` instead.

Closes #1268, #1255
2019-01-30 16:11:42 +02:00
Aimee LaPlant
2195bd3670 Updated comment. (#1245) 2019-01-09 15:15:33 -08:00
skrassiev
3f8b45c8d0 balance double-quotes in json (#1232) 2018-12-05 08:13:48 -08:00
Vishal Rana
c54d9e8eed Added user-agent to logger middleware
Signed-off-by: Vishal Rana <vr@labstack.com>
2018-11-22 22:34:14 -08:00
Emir Ribić
c8fd197fa8 Replace http constants with stdlib ones, i.e.: http.MethodGet instead of echo.GET (#1205) 2018-10-14 20:46:58 +05:30
Emir Ribić
059c099762 simplify tests (#1206) 2018-10-14 12:48:44 +05:30
Vishal Rana
ac1f40118a Proxy rename descr to desc
Signed-off-by: Vishal Rana <vr@labstack.com>
2018-10-13 11:43:05 +05:30
Gregor Noczinski
bc37a3a792 Proxy: Better errors + remote custom TLS (#1197)
Proxy will be more verbose on errors + possibility to configure custom transport (example: for custom TLS certificates)
2018-10-13 11:40:19 +05:30
Artyom Turkin
fcdf096c2c extend proxy middleware. closes #1202 (#1203)
* extend proxy middleware. closes #1202
2018-10-09 09:13:39 +05:30
Vishal Rana
90822319eb Fixed test
Signed-off-by: Vishal Rana <vr@labstack.com>
2018-08-28 20:49:22 -07:00
Marcin Węglarz
74f9806b34 Fix issue #1143 (#1176) 2018-08-15 07:35:27 -07:00
Vishal Rana
db8f5706fd Closed #1121
Signed-off-by: Vishal Rana <vr@labstack.com>
2018-07-17 23:21:54 -07:00
Kesus Kim
09dcba1d39 rename proto to protocol 2018-07-10 23:06:17 -07:00
Kesus Kim
2a5460328f add test case for logger middleware 2018-07-10 23:06:17 -07:00
Kesus Kim
146100093e add proto field for middleware 2018-07-10 23:06:17 -07:00
Vishal Rana
d8a6dad02d [JWT] use local error handler for missing token
Signed-off-by: Vishal Rana <vr@labstack.com>
2018-07-09 11:36:25 -07:00
Vishal Rana
ec7b497940 Fixed cors test
Signed-off-by: Vishal Rana <vr@labstack.com>
2018-07-03 09:51:15 -07:00
Jean-Sébastien Ney
8203e48696 add a few tests 2018-07-03 09:45:12 -07:00
Jean-Sébastien Ney
d63824fa41 handle using withcredentials and allow origin * together 2018-07-03 09:45:12 -07:00
Vishal Rana
9b4cc60ce2 Added error to logger middleware
Signed-off-by: Vishal Rana <vr@labstack.com>
2018-06-28 21:22:50 -07:00
Vishal Rana
61084e242e JWT BeforeFunc, SuccessHandler & ErrorHandler
Signed-off-by: Vishal Rana <vr@labstack.com>
2018-06-28 20:42:18 -07:00
Jeffrey Reuling (TI)
56091a4186 allow whitespace in regex 2018-06-26 09:57:59 -07:00
Vishal Rana
38f27e229c Enhanced static browse
Signed-off-by: Vishal Rana <vr@labstack.com>
2018-04-11 21:41:18 -07:00
Vishal Rana
5b769f91b2 HTTPError#Inner to HTTPError#Internal
Signed-off-by: Vishal Rana <vr@labstack.com>
2018-04-10 12:06:31 -07:00
Alexandre Stein
37f1a470ef Replace the redirection with a direct call to url package 2018-04-03 08:40:03 -07:00
Vishal Rana
a5d81b8d4a Updated deps, removed json-iterator, fixed #1087, fixed #1086
Signed-off-by: Vishal Rana <vr@labstack.com>
2018-03-16 10:00:59 -07:00
Florian Holzapfel
9aafcaf934 fix: BodyLimit middleware: limitedReader Reset does not reset read counter 2018-03-16 09:48:23 -07:00
Jeffrey Reuling (TI)
ee32e3e7fb fix issue #1086 2018-03-16 09:47:05 -07:00
ferhat elmas
3641cbcdad Fix formatting (#1071) 2018-02-25 13:42:58 -08:00
Evgeniy Kulikov
6da0483447 [FIX] We must close gzip.Reader, only if no error (#1069)
* [FIX] We must close gzip.Reader, only if no error
* review comments fix
2018-02-23 11:32:27 -08:00