From 1455d6bb690d8c91159a709cc6d1a0dc01ed9153 Mon Sep 17 00:00:00 2001 From: Francis Lavoie Date: Fri, 2 Apr 2021 18:47:04 -0400 Subject: [PATCH] httpcaddyfile: Fix panic in automation policy consolidation (#4104) * httpcaddyfile: Add reproduce test * httpcaddyfile: Don't allow `i` to go below zero --- caddyconfig/httpcaddyfile/tlsapp.go | 3 +- .../tls_automation_policies_4.txt | 155 ++++++++++++++++++ 2 files changed, 157 insertions(+), 1 deletion(-) create mode 100644 caddytest/integration/caddyfile_adapt/tls_automation_policies_4.txt diff --git a/caddyconfig/httpcaddyfile/tlsapp.go b/caddyconfig/httpcaddyfile/tlsapp.go index 45ba9d21..85f9e5a3 100644 --- a/caddyconfig/httpcaddyfile/tlsapp.go +++ b/caddyconfig/httpcaddyfile/tlsapp.go @@ -491,13 +491,13 @@ func consolidateAutomationPolicies(aps []*caddytls.AutomationPolicy) []*caddytls } // remove or combine duplicate policies +outer: for i := 0; i < len(aps); i++ { // compare only with next policies; we sorted by specificity so we must not delete earlier policies for j := i + 1; j < len(aps); j++ { // if they're exactly equal in every way, just keep one of them if reflect.DeepEqual(aps[i], aps[j]) { aps = append(aps[:j], aps[j+1:]...) - i-- break } @@ -524,6 +524,7 @@ func consolidateAutomationPolicies(aps []*caddytls.AutomationPolicy) []*caddytls if automationPolicyShadows(i, aps) >= j { aps = append(aps[:i], aps[i+1:]...) i-- + continue outer } } else { // avoid repeated subjects diff --git a/caddytest/integration/caddyfile_adapt/tls_automation_policies_4.txt b/caddytest/integration/caddyfile_adapt/tls_automation_policies_4.txt new file mode 100644 index 00000000..502dbd0b --- /dev/null +++ b/caddytest/integration/caddyfile_adapt/tls_automation_policies_4.txt @@ -0,0 +1,155 @@ +{ + email my.email@example.com +} + +:82 { + redir https://example.com{uri} +} + +:83 { + redir https://example.com{uri} +} + +:84 { + redir https://example.com{uri} +} + +abc.de { + redir https://example.com{uri} +} +---------- +{ + "apps": { + "http": { + "servers": { + "srv0": { + "listen": [ + ":443" + ], + "routes": [ + { + "match": [ + { + "host": [ + "abc.de" + ] + } + ], + "handle": [ + { + "handler": "subroute", + "routes": [ + { + "handle": [ + { + "handler": "static_response", + "headers": { + "Location": [ + "https://example.com{http.request.uri}" + ] + }, + "status_code": 302 + } + ] + } + ] + } + ], + "terminal": true + } + ] + }, + "srv1": { + "listen": [ + ":82" + ], + "routes": [ + { + "handle": [ + { + "handler": "static_response", + "headers": { + "Location": [ + "https://example.com{http.request.uri}" + ] + }, + "status_code": 302 + } + ] + } + ] + }, + "srv2": { + "listen": [ + ":83" + ], + "routes": [ + { + "handle": [ + { + "handler": "static_response", + "headers": { + "Location": [ + "https://example.com{http.request.uri}" + ] + }, + "status_code": 302 + } + ] + } + ] + }, + "srv3": { + "listen": [ + ":84" + ], + "routes": [ + { + "handle": [ + { + "handler": "static_response", + "headers": { + "Location": [ + "https://example.com{http.request.uri}" + ] + }, + "status_code": 302 + } + ] + } + ] + } + } + }, + "tls": { + "automation": { + "policies": [ + { + "issuers": [ + { + "email": "my.email@example.com", + "module": "acme" + }, + { + "email": "my.email@example.com", + "module": "zerossl" + } + ] + }, + { + "issuers": [ + { + "email": "my.email@example.com", + "module": "acme" + }, + { + "email": "my.email@example.com", + "module": "zerossl" + } + ] + } + ] + } + } + } +} \ No newline at end of file