fix: query string bypass when use unsafe true

The real issue lies in the fact that when use_real_request_uri_unsafe is set to true and conf.uri is provided, the core.utils.resolve_var output back an upstream uri that does not include query string. Therefore we need to concatenate the query string for the case if conf.uri is true.

The previous commit does not solve the issue as the issue is not related in the `if not conf.use_real_request_uri_unsafe then` statement.

Author: YapWC

apisix/plugins/proxy-rewrite.lua

@@ -275,20 +275,26 @@ function _M.rewrite(conf, ctx)
         end
     end
 
+    -- normalized uri (without query string)
     local upstream_uri = ctx.var.uri
     local separator_escaped = false
 
+    local query_string = ""
     -- When use_real_request_uri_unsafe is true, we use real_request_uri directly
     if conf.use_real_request_uri_unsafe then
-        upstream_uri = ctx.var.real_request_uri
+        upstream_uri = ctx.var.real_request_uri  -- Not normalized uri (with query string if available)
+        local query_string_index = str_find(upstream_uri, "?")
+        -- If query string exists, extract it. It is needed later when conf.uri is set.
+        -- Because core.utils.resolve_var output will drop the query string part.
+        query_string = query_string_index and sub_str(upstream_uri, query_string_index) or ""
     end
 
     -- This block determines the upstream URI based on the configuration.
     -- uri has higher priority than regex_uri.
     if conf.uri ~= nil then
-        separator_escaped = true
         -- Set the upstream_uri by resolving variables in conf.uri
-        upstream_uri = core.utils.resolve_var(conf.uri, ctx.var, escape_separator)
+        upstream_uri = core.utils.resolve_var(conf.uri, ctx.var, escape_separator) .. query_string
+        separator_escaped = true
 
     elseif conf.regex_uri ~= nil then
         if not str_find(upstream_uri, "?") then
@@ -327,8 +333,8 @@ function _M.rewrite(conf, ctx)
         end
     end
 
-    local index
     if not conf.use_real_request_uri_unsafe then
+        local index
         if separator_escaped then
             index = str_find(upstream_uri, "?")
         end
@@ -344,21 +350,21 @@ function _M.rewrite(conf, ctx)
         end
 
         req_set_uri(upstream_uri)
-    else
-        ctx.var.upstream_uri = upstream_uri
-    end
 
-    -- Incoming request has arguments, append them to the upstream_uri
-    -- to form the complete upstream_uri
-    if ctx.var.is_args == "?" then
-        if index then
-            -- Upstream already has a '?', so we append incoming args with '&'
-            ctx.var.upstream_uri = upstream_uri .. "&" .. (ctx.var.args or "")
+        -- Incoming request has arguments, append them to the upstream_uri
+        -- to form the complete upstream_uri
+        if ctx.var.is_args == "?" then
+            if index then
+                -- Upstream already has a '?', so we append incoming args with '&'
+                ctx.var.upstream_uri = upstream_uri .. "&" .. (ctx.var.args or "")
+            else
+                -- Upstream has no '?', so we start the query string with '?'
+                ctx.var.upstream_uri = upstream_uri .. "?" .. (ctx.var.args or "")
+            end
+        -- Incoming request had no arguments
         else
-            -- Upstream has no '?', so we start the query string with '?'
-            ctx.var.upstream_uri = upstream_uri .. "?" .. (ctx.var.args or "")
+            ctx.var.upstream_uri = upstream_uri
         end
-    -- Incoming request had no arguments
     else
         ctx.var.upstream_uri = upstream_uri
     end

t/plugin/proxy-rewrite.t

@@ -1231,3 +1231,95 @@ GET /hello
 uri: /uri
 host: test.com:6443
 x-real-ip: 127.0.0.1
+
+
+
+=== TEST 45: set route(rewrite uri args with unsafe allowed)
+--- config
+    location /t {
+        content_by_lua_block {
+            local t = require("lib.test_admin").test
+            local code, body = t('/apisix/admin/routes/1',
+                 ngx.HTTP_PUT,
+                 [[{
+                        "plugins": {
+                            "proxy-rewrite": {
+                                "uri": "/plugin_proxy_rewrite_args",
+                                "use_real_request_uri_unsafe": true
+                            }
+                        },
+                        "upstream": {
+                            "nodes": {
+                                "127.0.0.1:1980": 1
+                            },
+                            "type": "roundrobin"
+                        },
+                        "uri": "/hello"
+                }]]
+                )
+
+            if code >= 300 then
+                ngx.status = code
+            end
+            ngx.say(body)
+        }
+    }
+--- request
+GET /t
+--- response_body
+passed
+
+
+
+=== TEST 46: rewrite uri args
+--- request
+GET /hello?q=apisix&a=iresty HTTP/1.1
+--- response_body
+uri: /plugin_proxy_rewrite_args
+a: iresty
+q: apisix
+
+
+
+=== TEST 47: set route(rewrite uri empty args with unsafe allowed)
+--- config
+    location /t {
+        content_by_lua_block {
+            local t = require("lib.test_admin").test
+            local code, body = t('/apisix/admin/routes/1',
+                 ngx.HTTP_PUT,
+                 [[{
+                        "plugins": {
+                            "proxy-rewrite": {
+                                "uri": "/plugin_proxy_rewrite_args",
+                                "use_real_request_uri_unsafe": true
+                            }
+                        },
+                        "upstream": {
+                            "nodes": {
+                                "127.0.0.1:1980": 1
+                            },
+                            "type": "roundrobin"
+                        },
+                        "uri": "/hello"
+                }]]
+                )
+
+            if code >= 300 then
+                ngx.status = code
+            end
+            ngx.say(body)
+        }
+    }
+--- request
+GET /t
+--- response_body
+passed
+
+
+
+=== TEST 48: rewrite uri empty args
+--- request
+GET /hello HTTP/1.1
+--- response_body
+uri: /plugin_proxy_rewrite_args

t/plugin/proxy-rewrite3.t

@@ -199,7 +199,7 @@ plugin_proxy_rewrite get method: POST
 
 
 
-=== TEST 8: set route(unsafe uri not normalized at request)
+=== TEST 8: set route(unsafe uri not normalized at request with unsafe allowed)
 --- config
     location /t {
         content_by_lua_block {
@@ -243,7 +243,7 @@ ngx.var.request_uri: /print%5Furi%5Fdetailed
 
 
 
-=== TEST 10: set route(safe uri not normalized at request)
+=== TEST 10: set route(safe uri not normalized at request with unsafe allowed)
 --- config
     location /t {
         content_by_lua_block {
@@ -1002,18 +1002,18 @@ GET /hello/%ED%85%8C%EC%8A%A4%ED%8A%B8 HTTP/1.1
 
 
 
-=== TEST 42: set route(rewrite uri args with unsafe)
+=== TEST 45: set route(unsafe uri normalized at request with unsafe not allowed)
 --- config
     location /t {
         content_by_lua_block {
             local t = require("lib.test_admin").test
             local code, body = t('/apisix/admin/routes/1',
                  ngx.HTTP_PUT,
                  [[{
+                        "methods": ["GET"],
                         "plugins": {
                             "proxy-rewrite": {
-                                "uri": "/plugin_proxy_rewrite_args",
-                                "use_real_request_uri_unsafe": true
+                                "use_real_request_uri_unsafe": false
                             }
                         },
                         "upstream": {
@@ -1022,7 +1022,7 @@ GET /hello/%ED%85%8C%EC%8A%A4%ED%8A%B8 HTTP/1.1
                             },
                             "type": "roundrobin"
                         },
-                        "uri": "/hello"
+                        "uri": "/print_uri_detailed"
                 }]]
                 )
 
@@ -1032,25 +1032,14 @@ GET /hello/%ED%85%8C%EC%8A%A4%ED%8A%B8 HTTP/1.1
             ngx.say(body)
         }
     }
---- request
-GET /t
 --- response_body
 passed
 
 
 
-=== TEST 43: rewrite uri args with unsafe
---- request
-GET /hello?q=apisix&a=iresty HTTP/1.1
---- response_body
-uri: /plugin_proxy_rewrite_args
-a: iresty
-q: apisix
-
-
-
-=== TEST 44: rewrite uri empty args with unsafe
+=== TEST 46: unsafe uri normalized at request
 --- request
-GET /hello HTTP/1.1
+GET /print%5Furi%5Fdetailed HTTP/1.1
 --- response_body
-uri: /plugin_proxy_rewrite_args
+ngx.var.uri: /print_uri_detailed
+ngx.var.request_uri: /print_uri_detailed