aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGravatar Ciro Spaciari <ciro.spaciari@gmail.com> 2023-04-05 21:48:18 -0300
committerGravatar GitHub <noreply@github.com> 2023-04-05 17:48:18 -0700
commitd8c467be42427e1b52647cbbfd1974b887e17b35 (patch)
treef6c1ddb8a2dccdebbc2fc121d06b4247c9df0677
parentfd680d6c1d88caeb56f9d2280d28251eb9c64a93 (diff)
downloadbun-d8c467be42427e1b52647cbbfd1974b887e17b35.tar.gz
bun-d8c467be42427e1b52647cbbfd1974b887e17b35.tar.zst
bun-d8c467be42427e1b52647cbbfd1974b887e17b35.zip
fix(fetch.proxy) fix proxy authentication (#2554)
* fix proxy authentication * add auth tests * remove unused
Diffstat
-rw-r--r--src/bun.js/webcore/response.zig4
-rw-r--r--src/http_client_async.zig112
-rw-r--r--test/js/bun/http/proxy.test.js101
3 files changed, 186 insertions, 31 deletions
diff --git a/src/bun.js/webcore/response.zig b/src/bun.js/webcore/response.zig
index a19ee9ca4..5b6d23a16 100644
--- a/src/bun.js/webcore/response.zig
+++ b/src/bun.js/webcore/response.zig
@@ -1144,9 +1144,8 @@ pub const Fetch = struct {
}
if (options.get(globalThis, "proxy")) |proxy_arg| {
if (!proxy_arg.isUndefined()) {
- var proxy_str = proxy_arg.toStringOrNull(globalThis) orelse return null;
// proxy + url 1 allocation
- var url_zig = proxy_str.getZigString(globalThis);
+ var url_zig = jsstring.getZigString(globalThis);
if (url_zig.len == 0) {
const err = JSC.toTypeError(.ERR_INVALID_ARG_VALUE, fetch_error_blank_url, .{}, ctx);
@@ -1165,6 +1164,7 @@ pub const Fetch = struct {
proxy = ZigURL{}; //empty proxy
} else {
+ var proxy_str = proxy_arg.toStringOrNull(globalThis) orelse return null;
var proxy_url_zig = proxy_str.getZigString(globalThis);
// proxy is actual 0 len so ignores it
diff --git a/src/http_client_async.zig b/src/http_client_async.zig
index 6e8542479..4702c8b62 100644
--- a/src/http_client_async.zig
+++ b/src/http_client_async.zig
@@ -15,6 +15,7 @@ const Log = bun.logger.Log;
const DotEnv = @import("./env_loader.zig");
const std = @import("std");
const URL = @import("./url.zig").URL;
+const PercentEncoding = @import("./url.zig").PercentEncoding;
pub const Method = @import("./http/method.zig").Method;
const Api = @import("./api/schema.zig").Api;
const Lock = @import("./lock.zig").Lock;
@@ -841,6 +842,11 @@ fn writeProxyRequest(
_ = writer.write(request.path) catch 0;
_ = writer.write(" HTTP/1.1\r\nProxy-Connection: Keep-Alive\r\n") catch 0;
+ if (client.proxy_authorization) |auth| {
+ _ = writer.write("Proxy-Authorization: ") catch 0;
+ _ = writer.write(auth) catch 0;
+ _ = writer.write("\r\n") catch 0;
+ }
for (request.headers) |header| {
_ = writer.write(header.name) catch 0;
_ = writer.write(": ") catch 0;
@@ -1262,13 +1268,41 @@ pub const AsyncHTTP = struct {
this.client.async_http_id = this.async_http_id;
this.client.timeout = timeout;
this.client.http_proxy = this.http_proxy;
+ this.timeout = timeout;
+
if (http_proxy) |proxy| {
//TODO: need to understand how is possible to reuse Proxy with TSL, so disable keepalive if url is HTTPS
this.client.disable_keepalive = this.url.isHTTPS();
- if (proxy.username.len > 0) {
- if (proxy.password.len > 0) {
+ // Username between 0 and 4096 chars
+ if (proxy.username.len > 0 and proxy.username.len < 4096) {
+ // Password between 0 and 4096 chars
+ if (proxy.password.len > 0 and proxy.password.len < 4096) {
+ // decode password
+ var password_buffer: [4096]u8 = undefined;
+ std.mem.set(u8, &password_buffer, 0);
+ var password_stream = std.io.fixedBufferStream(&password_buffer);
+ var password_writer = password_stream.writer();
+ const PassWriter = @TypeOf(password_writer);
+ const password_len = PercentEncoding.decode(PassWriter, password_writer, proxy.password) catch {
+ // Invalid proxy authorization
+ return this;
+ };
+ const password = password_buffer[0..password_len];
+
+ // Decode username
+ var username_buffer: [4096]u8 = undefined;
+ std.mem.set(u8, &username_buffer, 0);
+ var username_stream = std.io.fixedBufferStream(&username_buffer);
+ var username_writer = username_stream.writer();
+ const UserWriter = @TypeOf(username_writer);
+ const username_len = PercentEncoding.decode(UserWriter, username_writer, proxy.username) catch {
+ // Invalid proxy authorization
+ return this;
+ };
+ const username = username_buffer[0..username_len];
+
// concat user and password
- const auth = std.fmt.allocPrint(allocator, "{s}:{s}", .{ proxy.username, proxy.password }) catch unreachable;
+ const auth = std.fmt.allocPrint(allocator, "{s}:{s}", .{ username, password }) catch unreachable;
defer allocator.free(auth);
const size = std.base64.standard.Encoder.calcSize(auth.len);
var buf = this.allocator.alloc(u8, size + "Basic ".len) catch unreachable;
@@ -1276,16 +1310,27 @@ pub const AsyncHTTP = struct {
buf[0.."Basic ".len].* = "Basic ".*;
this.client.proxy_authorization = buf[0 .. "Basic ".len + encoded.len];
} else {
+ //Decode username
+ var username_buffer: [4096]u8 = undefined;
+ std.mem.set(u8, &username_buffer, 0);
+ var username_stream = std.io.fixedBufferStream(&username_buffer);
+ var username_writer = username_stream.writer();
+ const UserWriter = @TypeOf(username_writer);
+ const username_len = PercentEncoding.decode(UserWriter, username_writer, proxy.username) catch {
+ // Invalid proxy authorization
+ return this;
+ };
+ const username = username_buffer[0..username_len];
+
// only use user
- const size = std.base64.standard.Encoder.calcSize(proxy.username.len);
+ const size = std.base64.standard.Encoder.calcSize(username_len);
var buf = allocator.alloc(u8, size + "Basic ".len) catch unreachable;
- var encoded = std.base64.url_safe.Encoder.encode(buf["Basic ".len..], proxy.username);
+ var encoded = std.base64.url_safe.Encoder.encode(buf["Basic ".len..], username);
buf[0.."Basic ".len].* = "Basic ".*;
this.client.proxy_authorization = buf[0 .. "Basic ".len + encoded.len];
}
}
}
- this.timeout = timeout;
return this;
}
@@ -1299,11 +1344,42 @@ pub const AsyncHTTP = struct {
this.client = try HTTPClient.init(this.allocator, this.method, this.client.url, this.client.header_entries, this.client.header_buf, aborted);
this.client.timeout = timeout;
this.client.http_proxy = this.http_proxy;
+ this.timeout = timeout;
+
if (this.http_proxy) |proxy| {
- if (proxy.username.len > 0) {
- if (proxy.password.len > 0) {
+ //TODO: need to understand how is possible to reuse Proxy with TSL, so disable keepalive if url is HTTPS
+ this.client.disable_keepalive = this.url.isHTTPS();
+ // Username between 0 and 4096 chars
+ if (proxy.username.len > 0 and proxy.username.len < 4096) {
+ // Password between 0 and 4096 chars
+ if (proxy.password.len > 0 and proxy.password.len < 4096) {
+ // decode password
+ var password_buffer: [4096]u8 = undefined;
+ std.mem.set(u8, &password_buffer, 0);
+ var password_stream = std.io.fixedBufferStream(&password_buffer);
+ var password_writer = password_stream.writer();
+ const PassWriter = @TypeOf(password_writer);
+ const password_len = PercentEncoding.decode(PassWriter, password_writer, proxy.password) catch {
+ // Invalid proxy authorization
+ return this;
+ };
+ const password = password_buffer[0..password_len];
+
+ // Decode username
+ var username_buffer: [4096]u8 = undefined;
+ std.mem.set(u8, &username_buffer, 0);
+ var username_stream = std.io.fixedBufferStream(&username_buffer);
+ var username_writer = username_stream.writer();
+ const UserWriter = @TypeOf(username_writer);
+ const username_len = PercentEncoding.decode(UserWriter, username_writer, proxy.username) catch {
+ // Invalid proxy authorization
+ return this;
+ };
+
+ const username = username_buffer[0..username_len];
+
// concat user and password
- const auth = std.fmt.allocPrint(this.allocator, "{s}:{s}", .{ proxy.username, proxy.password }) catch unreachable;
+ const auth = std.fmt.allocPrint(this.allocator, "{s}:{s}", .{ username, password }) catch unreachable;
defer this.allocator.free(auth);
const size = std.base64.standard.Encoder.calcSize(auth.len);
var buf = this.allocator.alloc(u8, size + "Basic ".len) catch unreachable;
@@ -1311,16 +1387,27 @@ pub const AsyncHTTP = struct {
buf[0.."Basic ".len].* = "Basic ".*;
this.client.proxy_authorization = buf[0 .. "Basic ".len + encoded.len];
} else {
+ //Decode username
+ var username_buffer: [4096]u8 = undefined;
+ std.mem.set(u8, &username_buffer, 0);
+ var username_stream = std.io.fixedBufferStream(&username_buffer);
+ var username_writer = username_stream.writer();
+ const UserWriter = @TypeOf(username_writer);
+ const username_len = PercentEncoding.decode(UserWriter, username_writer, proxy.username) catch {
+ // Invalid proxy authorization
+ return this;
+ };
+ const username = username_buffer[0..username_len];
+
// only use user
- const size = std.base64.standard.Encoder.calcSize(proxy.username.len);
+ const size = std.base64.standard.Encoder.calcSize(username_len);
var buf = this.allocator.alloc(u8, size + "Basic ".len) catch unreachable;
- var encoded = std.base64.url_safe.Encoder.encode(buf["Basic ".len..], proxy.username);
+ var encoded = std.base64.url_safe.Encoder.encode(buf["Basic ".len..], username);
buf[0.."Basic ".len].* = "Basic ".*;
this.client.proxy_authorization = buf[0 .. "Basic ".len + encoded.len];
}
}
}
- this.timeout = timeout;
}
pub fn schedule(this: *AsyncHTTP, _: std.mem.Allocator, batch: *ThreadPool.Batch) void {
@@ -1639,6 +1726,7 @@ pub fn onWritable(this: *HTTPClient, comptime is_first_call: bool, comptime is_s
};
} else {
//HTTP do not need tunneling with CONNECT just a slightly different version of the request
+
writeProxyRequest(
@TypeOf(writer),
writer,
diff --git a/test/js/bun/http/proxy.test.js b/test/js/bun/http/proxy.test.js
index abe05133d..203cbc294 100644
--- a/test/js/bun/http/proxy.test.js
+++ b/test/js/bun/http/proxy.test.js
@@ -1,12 +1,13 @@
import { afterAll, beforeAll, describe, expect, it } from "bun:test";
import { gc } from "harness";
-let proxy, server;
+let proxy, auth_proxy, server;
// TODO: Proxy with TLS requests
beforeAll(() => {
proxy = Bun.serve({
+ port: 0,
async fetch(request) {
// if is not an proxy connection just drop it
if (!request.headers.has("proxy-connection")) {
@@ -24,9 +25,41 @@ beforeAll(() => {
// no TLS support here
return new Response("Bad Request", { status: 400 });
},
- port: 54312,
+ });
+ auth_proxy = Bun.serve({
+ port: 0,
+ async fetch(request) {
+ // if is not an proxy connection just drop it
+ if (!request.headers.has("proxy-connection")) {
+ return new Response("Bad Request", { status: 400 });
+ }
+
+ if (!request.headers.has("proxy-authorization")) {
+ return new Response("Proxy Authentication Required", { status: 407 });
+ }
+
+ const auth = Buffer.from(
+ request.headers.get("proxy-authorization").replace("Basic ", "").trim(),
+ "base64",
+ ).toString("utf8");
+ if (auth !== "squid_user:ASD123@123asd") {
+ return new Response("Forbidden", { status: 403 });
+ }
+
+ // simple http proxy
+ if (request.url.startsWith("http://")) {
+ return await fetch(request.url, {
+ method: request.method,
+ body: await request.text(),
+ });
+ }
+
+ // no TLS support here
+ return new Response("Bad Request", { status: 400 });
+ },
});
server = Bun.serve({
+ port: 0,
async fetch(request) {
if (request.method === "POST") {
const text = await request.text();
@@ -34,36 +67,70 @@ beforeAll(() => {
}
return new Response("Hello, World", { status: 200 });
},
- port: 54322,
});
});
afterAll(() => {
server.stop();
proxy.stop();
+ auth_proxy.stop();
});
-describe("proxy", () => {
+it("proxy non-TLS", async () => {
+ const url = `http://localhost:${server.port}`;
+ const auth_proxy_url = `http://squid_user:ASD123%40123asd@localhost:${auth_proxy.port}`;
+ const proxy_url = `localhost:${proxy.port}`;
const requests = [
- [new Request("http://localhost:54322"), "fetch() GET with non-TLS Proxy", "http://localhost:54312"],
+ [new Request(url), auth_proxy_url],
+ [
+ new Request(url, {
+ method: "POST",
+ body: "Hello, World",
+ }),
+ auth_proxy_url,
+ ],
+ [url, auth_proxy_url],
+ [new Request(url), proxy_url],
[
- new Request("http://localhost:54322", {
+ new Request(url, {
method: "POST",
body: "Hello, World",
}),
- "fetch() POST with non-TLS Proxy",
- "http://localhost:54312",
+ proxy_url,
],
+ [url, proxy_url],
];
- for (let [request, name, proxy] of requests) {
+ for (let [request, proxy] of requests) {
gc();
- it(name, async () => {
- gc();
- const response = await fetch(request, { verbose: true, proxy });
- gc();
- const text = await response.text();
- gc();
- expect(text).toBe("Hello, World");
- });
+ const response = await fetch(request, { verbose: true, proxy });
+ gc();
+ const text = await response.text();
+ gc();
+ expect(text).toBe("Hello, World");
+ }
+});
+
+it("proxy non-TLS auth can fail", async () => {
+ const url = `http://localhost:${server.port}`;
+
+ {
+ try {
+ const response = await fetch(url, { verbose: true, proxy: `http://localhost:${auth_proxy.port}` });
+ expect(response.statusText).toBe("Proxy Authentication Required");
+ } catch (err) {
+ expect(err).toBe("Proxy Authentication Required");
+ }
+ }
+
+ {
+ try {
+ const response = await fetch(url, {
+ verbose: true,
+ proxy: `http://squid_user:asdf123@localhost:${auth_proxy.port}`,
+ });
+ expect(response.statusText).toBe("Forbidden");
+ } catch (err) {
+ expect(err).toBe("Forbidden");
+ }
}
});
generated by cgit v1.2.3 (git 2.39.1) at 2025-06-26 20:21:55 +0000