From 7529095e1ac4304d373a5f9774f8dea2d6bd9435 Mon Sep 17 00:00:00 2001 From: Marius Zander Date: Wed, 14 Jun 2023 17:49:08 +0200 Subject: [PATCH 1/2] fix: use X-Forwarded-Uri if it exists for pathRegex match the functions `isApiPath` and `isAllowedPath` use the `req.URL.Path` property which leads to faulty behavior when behind a reverse proxy. The correct path can be inferred from the `X-Forwarded-Uri` header by making use of the already provided `requestutil.GetRequestURI` function. Co-authored-by: Jan Wystub --- oauthproxy.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/oauthproxy.go b/oauthproxy.go index 7398fb8e..25b14e61 100644 --- a/oauthproxy.go +++ b/oauthproxy.go @@ -554,7 +554,7 @@ func isAllowedMethod(req *http.Request, route allowedRoute) bool { } func isAllowedPath(req *http.Request, route allowedRoute) bool { - matches := route.pathRegex.MatchString(req.URL.Path) + matches := route.pathRegex.MatchString(requestutil.GetRequestURI(req)) if route.negate { return !matches @@ -575,7 +575,7 @@ func (p *OAuthProxy) isAllowedRoute(req *http.Request) bool { func (p *OAuthProxy) isAPIPath(req *http.Request) bool { for _, route := range p.apiRoutes { - if route.pathRegex.MatchString(req.URL.Path) { + if route.pathRegex.MatchString(requestutil.GetRequestURI(req)) { return true } } From 2d22530f8f5c05cbb73ec6d50a2c17ef9f1ac296 Mon Sep 17 00:00:00 2001 From: Jan Wystub Date: Wed, 23 Aug 2023 09:18:53 +0200 Subject: [PATCH 2/2] docs: add changelog entry --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 548d200d..3a6c17e5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,7 @@ ## Breaking Changes ## Changes since v7.4.0 +- [#2133](https://github.com/oauth2-proxy/oauth2-proxy/pull/2133) Use X-Forwarded-Uri if it exists for pathRegex match - [#2028](https://github.com/oauth2-proxy/oauth2-proxy/pull/2028) Update golang.org/x/net to v0.7.0 ato address GHSA-vvpx-j8f3-3w6h - [#1873](https://github.com/oauth2-proxy/oauth2-proxy/pull/1873) Fix empty users with some OIDC providers (@babs) - [#1882](https://github.com/oauth2-proxy/oauth2-proxy/pull/1882) Make `htpasswd.GetUsers` racecondition safe