index out of range panic on bad URLs

[arussellsaw]

👋 hello!

we often see panics coming from our router when we get hit by people vuln scanning our app. we use lookupFunc to serve our frontend if no backend routes match. I think we're just missing a range check before evaluating.

an example URL that panics: GET /images/../cgi/cgi_i_filter.js

Here's the rough shape of our setup:

// LookupFunc is associated with a mux router. It permits querying the router to see if it
// can respond to a request.
type LookupFunc func(w http.ResponseWriter, r *http.Request) (httptreemux.LookupResult, bool)

func SinglePageApp(urlPrefix, dirPath string, includeSourcemaps bool) func(h http.Handler, lookupFunc LookupFunc) http.Handler {
fs := static.LocalFile(dirPath, true)
fileserver := http.FileServer(fs)
if urlPrefix != "" {
fileserver = http.StripPrefix(urlPrefix, fileserver)
}

return func(h http.Handler, lookupFunc LookupFunc) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		// If we have an official route for this request, we should skip our handler. We
		// only run when we can't find a match.
		if _, found := lookupFunc(w, r); found {
			h.ServeHTTP(w, r)
			return
		}

		if !fs.Exists(urlPrefix, r.URL.Path) {
			r.URL.Path = "/"
		}
                     // serving the SPA goes here

thanks! 🙏

[dimfeld]

If you can come up with a reproducible test case I can take a look at it.