A plugin to check for proxy_pass usage resulting in decoding and normalization

[MegaManSec]

Also add proper requirements, and fix some typos and warnings on newer Python versions.

More information about dangerous proxy_pass usage: https://joshua.hu/proxy-pass-nginx-decoding-normalizing-url-path-dangerous#nginx-proxy_pass

P.S: Thank you for this fork!

[dvershinin]

Thank you for your PR, there are some things to address so that tests pass without errors.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[dvershinin]

Thanks! Merged.

[SuperSandro2000]

Should this rule also apply when proxying a file? I am not sure and I also have no idea how to fix this:

location /dir/file {
  proxy_pass http://server/dir/file?query=value;
}

[MegaManSec]

@SuperSandro2000 :

First off, this should use location = /dir/file { because it currently matches /dir/file123123123.

Second off, use:

location = /dir/file {
  proxy_pass http://server$1?query=value;
}

[MegaManSec]

@SuperSandro2000 I've fixed try the rule from above. $1 is the correct thing to use here, and does not qualify as a path.

[SuperSandro2000]

First off, this should use location = /dir/file { because it currently matches /dir/file123123123.

Should gixy warn about this?

[MegaManSec]

It currently warns about it if alias is used: https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/aliastraversal.md