Google Git
Sign in
go / pkgsite / 873fb37c24799199f4b1e129bc425fa0490b1f8d^! / .
commit873fb37c24799199f4b1e129bc425fa0490b1f8d[log] [tgz]
authorJamal Carvalho <jamal@golang.org>Fri Sep 30 19:28:40 2022 +0000
committerJamal Carvalho <jamal@golang.org>Tue Oct 04 15:08:36 2022 +0000
treef655af9188b7b779548cefa8a416fce669a826dd
parent86a1744034510e328a4ff3f90920efd7d523f584 [diff]
internal/frontend: fix vuln page cache handler

The http.StripPrefix handler stripped the /vuln prefix from the
cache keys of vuln pages causing a collision with the key for
the homepage / and the vuln portal /vuln/. Removed the strip prefix
handler.

Change-Id: Ib8d550e925d446f1a53ffc4196b3911981359bc3
Reviewed-on: https://go-review.googlesource.com/c/pkgsite/+/436758
Reviewed-by: Robert Findley <rfindley@google.com>
Run-TryBot: Jamal Carvalho <jamal@golang.org>

diff --git a/internal/frontend/server.go b/internal/frontend/server.go
index 901d492..ae96d2e 100644
--- a/internal/frontend/server.go
+++ b/internal/frontend/server.go

@@ -132,6 +132,10 @@
 		vulnHandler   http.Handler = s.errorHandler(s.serveVuln)
 	)
 	if redisClient != nil {
+		// The cache middleware uses the URL string as the key for content served
+		// by the handlers it wraps. Be careful not to wrap the handler it returns
+		// with a handler that rewrites the URL in a way that could cause key
+		// collisions, like http.StripPrefix.
 		detailHandler = middleware.Cache("details", redisClient, detailsTTL, authValues)(detailHandler)
 		searchHandler = middleware.Cache("search", redisClient, searchTTL, authValues)(searchHandler)
 		vulnHandler = middleware.Cache("vuln", redisClient, vulnTTL, authValues)(vulnHandler)
@@ -173,7 +177,7 @@
 	}))
 	handle("/golang.org/x", s.staticPageHandler("subrepo", "Sub-repositories"))
 	handle("/files/", http.StripPrefix("/files", s.fileMux))
-	handle("/vuln/", http.StripPrefix("/vuln", vulnHandler))
+	handle("/vuln/", vulnHandler)
 	handle("/", detailHandler)
 	if s.serveStats {
 		handle("/detail-stats/",

diff --git a/internal/frontend/vulns.go b/internal/frontend/vulns.go
index 144dd6e..3ab57f4 100644
--- a/internal/frontend/vulns.go
+++ b/internal/frontend/vulns.go

@@ -163,7 +163,8 @@
 }
 
 func (s *Server) serveVuln(w http.ResponseWriter, r *http.Request, _ internal.DataSource) error {
-	switch r.URL.Path {
+	path := strings.TrimPrefix(r.URL.Path, "/vuln")
+	switch path {
 	case "/":
 		// Serve a list of most recent entries.
 		vulnListPage, err := newVulnListPage(r.Context(), s.vulnClient)
@@ -184,7 +185,7 @@
 		vulnListPage.basePage = s.newBasePage(r, "Vulnerability Reports")
 		s.servePage(r.Context(), w, "vuln/list", vulnListPage)
 	default: // the path should be "/<ID>", e.g. "/GO-2021-0001".
-		id := r.URL.Path[1:]
+		id := path[1:]
 		if !goVulnIDRegexp.MatchString(id) {
 			if r.URL.Query().Has("q") {
 				return &serverError{status: derrors.ToStatus(derrors.NotFound)}