MINOR: uri_normalizer: Add fragment-strip normalizer

This normalizer strips the URI's fragment component which should never be sent to the server. See GitHub Issue #714.
2025-08-06 07:07:04 +02:00 · 2021-05-10 17:28:25 +02:00 · 2021-05-10 17:28:25 +02:00 · c9e05ab2de
commit c9e05ab2de
parent 2f413136e9
5 changed files with 73 additions and 1 deletions
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@ -6172,6 +6172,7 @@ http-request early-hint <name> <fmt> [ { if | unless } <condition> ]
  See RFC 8297 for more information.

 http-request normalize-uri <normalizer> [ { if | unless } <condition> ]
+http-request normalize-uri fragment-strip [ { if | unless } <condition> ]
 http-request normalize-uri path-merge-slashes [ { if | unless } <condition> ]
 http-request normalize-uri path-strip-dot [ { if | unless } <condition> ]
 http-request normalize-uri path-strip-dotdot [ full ] [ { if | unless } <condition> ]
@ -6209,6 +6210,17 @@ http-request normalize-uri query-sort-by-name [ { if | unless } <condition> ]

  The following normalizers are available:

+  - fragment-strip: Removes the URI's "fragment" component.
+
+      According to RFC 3986#3.5 the "fragment" component of an URI should not
+      be sent, but handled by the User Agent after retrieving a resource.
+
+      This normalizer should be applied first to ensure that the fragment is
+      not interpreted as part of the request's path component.
+
+      Example:
+      - /#foo  -> /
+
  - path-strip-dot: Removes "/./" segments within the "path" component
      (RFC 3986#6.2.2.3).

--- a/include/haproxy/action-t.h
+++ b/include/haproxy/action-t.h
@ -111,6 +111,7 @@ enum act_normalize_uri {
 	ACT_NORMALIZE_URI_PERCENT_TO_UPPERCASE_STRICT,
 	ACT_NORMALIZE_URI_PERCENT_DECODE_UNRESERVED,
 	ACT_NORMALIZE_URI_PERCENT_DECODE_UNRESERVED_STRICT,
+	ACT_NORMALIZE_URI_FRAGMENT_STRIP,
 };

 /* NOTE: if <.action_ptr> is defined, the referenced function will always be
--- a/include/haproxy/uri_normalizer.h
+++ b/include/haproxy/uri_normalizer.h
@ -18,6 +18,14 @@

 #include <haproxy/uri_normalizer-t.h>

+/* Cuts the input at the first '#'. */
+static inline enum uri_normalizer_err uri_normalizer_fragment_strip(const struct ist input, struct ist *dst)
+{
+	*dst = iststop(input, '#');
+
+	return URI_NORMALIZER_ERR_NONE;
+}
+
 enum uri_normalizer_err uri_normalizer_percent_decode_unreserved(const struct ist input, int strict, struct ist *dst);
 enum uri_normalizer_err uri_normalizer_percent_upper(const struct ist input, int strict, struct ist *dst);
 enum uri_normalizer_err uri_normalizer_path_dot(const struct ist path, struct ist *dst);
--- a/reg-tests/http-rules/normalize_uri.vtc
+++ b/reg-tests/http-rules/normalize_uri.vtc
@ -8,7 +8,7 @@ feature ignore_unknown_macro
 server s1 {
    rxreq
    txresp
-} -repeat 63 -start
+} -repeat 66 -start

 haproxy h1 -conf {
    global
@ -125,6 +125,18 @@ haproxy h1 -conf {

        default_backend be

+    frontend fe_fragment_strip
+        bind "fd@${fe_fragment_strip}"
+
+        http-request set-var(txn.before) url
+        http-request normalize-uri fragment-strip
+        http-request set-var(txn.after) url
+
+        http-response add-header before  %[var(txn.before)]
+        http-response add-header after  %[var(txn.after)]
+
+        default_backend be
+
    backend be
        server s1 ${s1_addr}:${s1_port}

@ -471,3 +483,20 @@ client c8 -connect ${h1_fe_percent_decode_unreserved_strict_sock} {
    rxresp
    expect resp.status == 400
 } -run
+
+client c9 -connect ${h1_fe_fragment_strip_sock} {
+    txreq -url "/#foo"
+    rxresp
+    expect resp.http.before == "/#foo"
+    expect resp.http.after == "/"
+
+    txreq -url "/%23foo"
+    rxresp
+    expect resp.http.before == "/%23foo"
+    expect resp.http.after == "/%23foo"
+
+    txreq -req OPTIONS -url "*"
+    rxresp
+    expect resp.http.before == "*"
+    expect resp.http.after == "*"
+} -run
--- a/src/http_act.c
+++ b/src/http_act.c
@ -312,6 +312,23 @@ static enum act_return http_action_normalize_uri(struct act_rule *rule, struct p

 			err = uri_normalizer_percent_decode_unreserved(path, rule->action == ACT_NORMALIZE_URI_PERCENT_DECODE_UNRESERVED_STRICT, &newpath);

+			if (err != URI_NORMALIZER_ERR_NONE)
+				break;
+
+			if (!http_replace_req_path(htx, newpath, 1))
+				goto fail_rewrite;
+
+			break;
+		}
+		case ACT_NORMALIZE_URI_FRAGMENT_STRIP: {
+			const struct ist path = http_get_path(uri);
+			struct ist newpath = ist2(replace->area, replace->size);
+
+			if (!isttest(path))
+				goto leave;
+
+			err = uri_normalizer_fragment_strip(path, &newpath);
+
 			if (err != URI_NORMALIZER_ERR_NONE)
 				break;

@ -440,6 +457,11 @@ static enum act_parse_ret parse_http_normalize_uri(const char **args, int *orig_
 			return ACT_RET_PRS_ERR;
 		}
 	}
+	else if (strcmp(args[cur_arg], "fragment-strip") == 0) {
+		cur_arg++;
+
+		rule->action = ACT_NORMALIZE_URI_FRAGMENT_STRIP;
+	}
 	else {
 		memprintf(err, "unknown normalizer '%s'", args[cur_arg]);
 		return ACT_RET_PRS_ERR;