From f306dbd9668fda70349dd77cb53cea72061dc1ec Mon Sep 17 00:00:00 2001 From: Bogdan Ungureanu Date: Sat, 16 Apr 2022 08:54:58 +0300 Subject: [PATCH 1/2] fix: security improvement --- swagger.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/swagger.go b/swagger.go index 8c0ea81..5f70435 100644 --- a/swagger.go +++ b/swagger.go @@ -122,6 +122,10 @@ func Handler(configFns ...func(*Config)) http.HandlerFunc { var re = regexp.MustCompile(`^(.*/)([^?].*)?[?|.]*$`) return func(w http.ResponseWriter, r *http.Request) { + if r.Method != http.MethodGet { + http.Error(w, "Method not allowed", http.StatusMethodNotAllowed) + return + } matches := re.FindStringSubmatch(r.RequestURI) path := matches[2] From afd4e6808e241d5eadfbb59fee74c2fc5693c42e Mon Sep 17 00:00:00 2001 From: Bogdan Ungureanu Date: Sat, 16 Apr 2022 09:18:10 +0300 Subject: [PATCH 2/2] chore: improve code coverage --- .github/workflows/ci.yml | 2 +- swagger.go | 2 +- swagger_test.go | 33 +++++++++++++++++---------------- 3 files changed, 19 insertions(+), 18 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 17ebad4..808f9a6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -10,7 +10,7 @@ jobs: test: strategy: matrix: - go: [ '1.15.x', '1.16.x', '1.17.x' ] + go: [ '1.15.x', '1.16.x', '1.17.x', '1.18.x' ] runs-on: ubuntu-latest steps: - uses: actions/checkout@master diff --git a/swagger.go b/swagger.go index 5f70435..1dddf43 100644 --- a/swagger.go +++ b/swagger.go @@ -159,7 +159,7 @@ func Handler(configFns ...func(*Config)) http.HandlerFunc { } _, _ = w.Write([]byte(doc)) case "": - http.Redirect(w, r, h.Prefix+"index.html", 301) + http.Redirect(w, r, h.Prefix+"index.html", http.StatusMovedPermanently) default: h.ServeHTTP(w, r) } diff --git a/swagger_test.go b/swagger_test.go index 6978c12..2045b8a 100644 --- a/swagger_test.go +++ b/swagger_test.go @@ -43,35 +43,36 @@ func TestWrapHandler(t *testing.T) { router.Handle("/", Handler(DocExpansion("none"), DomID("#swagger-ui"))) - w1 := performRequest("GET", "/index.html", router) - assert.Equal(t, 200, w1.Code) + w1 := performRequest(http.MethodGet, "/index.html", router) + assert.Equal(t, http.StatusOK, w1.Code) assert.Equal(t, w1.Header()["Content-Type"][0], "text/html; charset=utf-8") - w2 := performRequest("GET", "/doc.json", router) - assert.Equal(t, 500, w2.Code) + assert.Equal(t, http.StatusInternalServerError, performRequest(http.MethodGet, "/doc.json", router).Code) swag.Register(swag.Name, &mockedSwag{}) - w2 = performRequest("GET", "/doc.json", router) - assert.Equal(t, 200, w2.Code) + w2 := performRequest(http.MethodGet, "/doc.json", router) + assert.Equal(t, http.StatusOK, w2.Code) assert.Equal(t, "application/json; charset=utf-8", w2.Header().Get("content-type")) - w3 := performRequest("GET", "/favicon-16x16.png", router) - assert.Equal(t, 200, w3.Code) + w3 := performRequest(http.MethodGet, "/favicon-16x16.png", router) + assert.Equal(t, http.StatusOK, w3.Code) assert.Equal(t, w3.Header()["Content-Type"][0], "image/png") - w4 := performRequest("GET", "/swagger-ui.css", router) - assert.Equal(t, 200, w4.Code) + w4 := performRequest(http.MethodGet, "/swagger-ui.css", router) + assert.Equal(t, http.StatusOK, w4.Code) assert.Equal(t, w4.Header()["Content-Type"][0], "text/css; charset=utf-8") - w5 := performRequest("GET", "/swagger-ui-bundle.js", router) - assert.Equal(t, 200, w5.Code) + w5 := performRequest(http.MethodGet, "/swagger-ui-bundle.js", router) + assert.Equal(t, http.StatusOK, w5.Code) assert.Equal(t, w5.Header()["Content-Type"][0], "application/javascript") - w6 := performRequest("GET", "/notfound", router) - assert.Equal(t, 404, w6.Code) + assert.Equal(t, http.StatusNotFound, performRequest(http.MethodGet, "/notfound", router).Code) - w7 := performRequest("GET", "/", router) - assert.Equal(t, 301, w7.Code) + assert.Equal(t, 301, performRequest(http.MethodGet, "/", router).Code) + + assert.Equal(t, http.StatusMethodNotAllowed, performRequest(http.MethodPost, "/swagger/index.html", router).Code) + + assert.Equal(t, http.StatusMethodNotAllowed, performRequest(http.MethodPut, "/swagger/index.html", router).Code) } func performRequest(method, target string, h http.Handler) *httptest.ResponseRecorder {