Do not warn on proxy_pass_normalized if request_uri is used.

Joshua Rogers · Joshua Rogers · commit 797fb23ec83b · 2025-02-17T15:08:34.000+11:00
Also, turn find_directive_in_scope into find_directives_in_scope, allowing it
to turn into a list.
diff --git a/gixy/directives/directive.py b/gixy/directives/directive.py
@@ -46,12 +46,12 @@ def parents(self):
     def variables(self):
         raise NotImplementedError()
 
-    def find_directive_in_scope(self, name):
-        """Find directive in the current scope"""
+    def find_directives_in_scope(self, name):
+        """Find directives in the current scope"""
         for parent in self.parents:
             directive = parent.some(name, flat=False)
             if directive:
-                return directive
+                yield directive
         return None
 
     def __str__(self):
diff --git a/gixy/plugins/proxy_pass_normalized.py b/gixy/plugins/proxy_pass_normalized.py
@@ -1,5 +1,6 @@
 import re
 import gixy
+import sys
 from gixy.plugins.plugin import Plugin
 
 class proxy_pass_normalized(Plugin):
@@ -12,7 +13,7 @@ class proxy_pass_normalized(Plugin):
     """
 
     summary = 'Detect path after host in proxy_pass (potential URL decoding issue)'
-    severity = gixy.severity.LOW
+    severity = gixy.severity.MEDIUM
     description = ("A slash immediately after the host in proxy_pass leads to the path being decoded and normalized before proxying downstream, leading to unexpected behavior related to encoded slashes.")
     help_url = 'https://joshua.hu/proxy-pass-nginx-decoding-normalizing-url-path-dangerous#nginx-proxy_pass'
     directives = ['proxy_pass']
@@ -22,23 +23,30 @@ def __init__(self, config):
         self.parse_uri_re = re.compile(r'(?P<scheme>[^?#/)]+://)?(?P<host>[^?#/)]+)(?P<path>/.*)?')
 
     def audit(self, directive):
-        proxy_pass_arg = directive.args[0]
-        if not proxy_pass_arg:
+        proxy_pass_args = directive.args
+
+        if not proxy_pass_args:
             return
 
-        parsed = self.parse_uri_re.match(proxy_pass_arg)
+        parsed = self.parse_uri_re.match(proxy_pass_args[0])
 
         if not parsed:
             return
 
         if not parsed.group('path'):
             return
 
+
+        for rewrite in directive.find_directives_in_scope("rewrite"):
+            if hasattr(rewrite, 'pattern') and hasattr(rewrite, 'replace'):
+                if rewrite.pattern == '^' and rewrite.replace == '$request_uri':
+                    return
+
         self.add_issue(
             severity=self.severity,
             directive=[directive, directive.parent],
             reason=(
-                "Found a slash (and possibly more) after the hostname in proxy_pass. "
+                "Found a slash (and possibly more) after the hostname in proxy_pass, without using $request_uri."
                 "This can lead to path decoding issues."
             )
         )
diff --git a/gixy/plugins/try_files_is_evil_too.py b/gixy/plugins/try_files_is_evil_too.py
@@ -18,8 +18,8 @@ class try_files_is_evil_too(Plugin):
 
     def audit(self, directive):
         # search for open_file_cache ...; on the same or higher level
-        open_file_cache = directive.find_directive_in_scope("open_file_cache")
-        if not open_file_cache or open_file_cache.args[0] == "off":
+        open_file_cache = list(directive.find_directives_in_scope("open_file_cache"))
+        if not open_file_cache or open_file_cache[0].args[0] == "off":
             self.add_issue(
                 severity=gixy.severity.MEDIUM,
                 directive=[directive],
