Bump version to 0.2.6 and enhance proxy_pass_normalized plugin to handle variable proxy_pass destinations

dvershinin · dvershinin · commit c8ea292e40b2 · 2025-02-22T20:15:27.000+08:00
diff --git a/gixy/__init__.py b/gixy/__init__.py
@@ -2,4 +2,4 @@
 
 from gixy.core import severity
 
-version = "0.2.5"
+version = "0.2.6"
diff --git a/gixy/plugins/proxy_pass_normalized.py b/gixy/plugins/proxy_pass_normalized.py
@@ -32,6 +32,10 @@ def audit(self, directive):
         if not proxy_pass_args:
             return
 
+        if proxy_pass_args[0].startswith("$"):
+            # If proxy pass destination is defined by a variable, it is not possible to check for path normalization issues
+            return
+
         parsed = urlparse(proxy_pass_args[0])
 
         if not parsed:
diff --git a/tests/plugins/simply/proxy_pass_normalized/proxy_pass_var_fp.conf b/tests/plugins/simply/proxy_pass_normalized/proxy_pass_var_fp.conf
@@ -0,0 +1,4 @@
+# False positive because we can't reliably check whether variable has path or not
+location @__auth__event_proxying {
+    proxy_pass $sm_auth_event_url;
+}

Original file line number	Diff line number	Diff line change
`@@ -2,4 +2,4 @@`
`2`	`2`
`3`	`3`	`from gixy.core import severity`
`4`	`4`
`5`		`-version = "0.2.5"`
	`5`	`+version = "0.2.6"`