]> git.kaiwu.me - njs.git/commitdiff
Fetch: fix out-of-bounds read of a short fetch proxy URL
authorDmitry Volyntsev <xeioex@nginx.com>
Thu, 11 Jun 2026 23:49:33 +0000 (16:49 -0700)
committerDmitry Volyntsev <xeioexception@gmail.com>
Fri, 12 Jun 2026 03:26:59 +0000 (20:26 -0700)
nginx/ngx_js.c
nginx/t/js_fetch_proxy_variable.t

index cd44127b7ea32468d8987631ad5f53a3e93dbf44..34fc23a4657859194b729e1a61b620ed3e5cec82 100644 (file)
@@ -3552,7 +3552,9 @@ ngx_js_parse_proxy_url(ngx_pool_t *pool, ngx_log_t *log, ngx_str_t *url,
         return NGX_OK;
     }
 
-    if (ngx_strncmp(url->data, "http://", sizeof("http://") - 1) != 0) {
+    if (url->len < sizeof("http://") - 1
+        || ngx_strncmp(url->data, "http://", sizeof("http://") - 1) != 0)
+    {
         ngx_log_error(NGX_LOG_ERR, log, 0,
                       "js_fetch_proxy URL must use http:// scheme");
         return NGX_ERROR;
index b1fcbadda8c8909ba3ea8b787d574b8687727eb3..b8de4e1c1a7f0802e69ae54436a9bbcb39e98d7c 100644 (file)
@@ -60,6 +60,12 @@ http {
             js_content test.http_fetch;
         }
 
+        location /dynamic_short_proxy {
+            set $proxy_url "http:/";
+            js_fetch_proxy $proxy_url;
+            js_content test.http_fetch;
+        }
+
         location /dynamic_user_proxy {
             set $proxy_url "http://$arg_user:p@127.0.0.1:%%PORT_8081%%";
             js_fetch_proxy $proxy_url;
@@ -134,7 +140,7 @@ $t->write_file('test.js', <<EOF);
 
 EOF
 
-$t->try_run('no js_fetch_proxy')->plan(4);
+$t->try_run('no js_fetch_proxy')->plan(5);
 
 ###############################################################################
 
@@ -144,6 +150,8 @@ like(http_get('/dynamic_proxy'), qr/PROXY:Basic\s+dGVzdHVzZXI6dGVzdHBhc3M=/,
     'dynamic proxy URL with auth');
 like(http_get('/dynamic_empty_proxy'), qr/ORIGIN:OK/,
     'dynamic empty proxy URL bypasses proxy');
+like(http_get('/dynamic_short_proxy'), qr/failed to evaluate proxy URL/,
+    'too short dynamic proxy URL is rejected');
 like(http_get('/dynamic_user_proxy?user=' . ('a' x 200)),
     qr/PROXY:BAD-AUTH/,
     'long user in dynamic proxy URL decoded without overflow');