core/go-proxy
8
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix(api): enforce GET on monitoring endpoints

Browse source 
Co-Authored-By: Virgil <virgil@lethean.io>
This commit is contained in:
Virgil 2026-04-04 23:39:29 +00:00
parent 34f95071d9
commit fb5453c097
2 changed files with 17 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
http_auth_test.go
View file

@ -49,6 +49,22 @@ func TestProxy_allowHTTP_Bad(t *testing.T) {
} }
} }
func TestProxy_allowHTTP_MethodRestricted_Bad(t *testing.T) {
p := &Proxy{
config: &Config{
HTTP: HTTPConfig{},
},
}
status, ok := p.allowHTTP(&http.Request{Method: http.MethodPost})
if ok {
t.Fatal("expected non-GET request to be rejected")
}
if status != http.StatusMethodNotAllowed {
t.Fatalf("expected status %d, got %d", http.StatusMethodNotAllowed, status)
}
}
func TestProxy_allowHTTP_Ugly(t *testing.T) { func TestProxy_allowHTTP_Ugly(t *testing.T) {
p := &Proxy{ p := &Proxy{
config: &Config{ config: &Config{

2
state_impl.go
View file

@ -643,7 +643,7 @@ func (p *Proxy) allowHTTP(r *http.Request) (int, bool) {
if p == nil { if p == nil {
return http.StatusServiceUnavailable, false return http.StatusServiceUnavailable, false
} }
if p.config.HTTP.Restricted && r.Method != http.MethodGet { if r.Method != http.MethodGet {
return http.StatusMethodNotAllowed, false return http.StatusMethodNotAllowed, false
} }
if token := p.config.HTTP.AccessToken; token != "" { if token := p.config.HTTP.AccessToken; token != "" {