diff --git a/pkg/plugin/client/http2https_redirect.go b/pkg/plugin/client/http2https_redirect.go index 977394dd..bd1fd62c 100644 --- a/pkg/plugin/client/http2https_redirect.go +++ b/pkg/plugin/client/http2https_redirect.go @@ -51,7 +51,9 @@ func NewHTTP2HTTPSRedirectPlugin(_ PluginContext, options v1.ClientPluginOptions p.s = &http.Server{ Handler: http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { - http.Redirect(w, req, buildHTTPSRedirectURL(req, opts.HTTPSPort), http.StatusFound) + // Not an open redirect: the target scheme is fixed to https and the + // host is the one the client already connected to. + http.Redirect(w, req, buildHTTPSRedirectURL(req, opts.HTTPSPort), http.StatusFound) //nolint:gosec // G710 }), ReadHeaderTimeout: 60 * time.Second, } diff --git a/pkg/plugin/server/manager_test.go b/pkg/plugin/server/manager_test.go index f0306fed..6866d194 100644 --- a/pkg/plugin/server/manager_test.go +++ b/pkg/plugin/server/manager_test.go @@ -70,7 +70,7 @@ func (w *logCapture) String() string { // levels parses the captured JSON log output and returns the level of each entry. func (w *logCapture) levels() []charmlog.Level { var levels []charmlog.Level - for _, line := range strings.Split(strings.TrimSpace(w.String()), "\n") { + for line := range strings.SplitSeq(strings.TrimSpace(w.String()), "\n") { if line == "" { continue } diff --git a/pkg/util/log/log.go b/pkg/util/log/log.go index 61a9f4d6..066b37ad 100644 --- a/pkg/util/log/log.go +++ b/pkg/util/log/log.go @@ -164,9 +164,8 @@ func (w *RotateFileWriter) cleanupOldLogs(now time.Time) { } name := f.Name() - if strings.HasPrefix(name, base+".") { - // Extract date from filename (base.YYYY-MM-DD) - dateStr := strings.TrimPrefix(name, base+".") + // Extract date from filename (base.YYYY-MM-DD) + if dateStr, ok := strings.CutPrefix(name, base+"."); ok { if len(dateStr) == 10 { fileDate, err := time.Parse("2006-01-02", dateStr) if err == nil && fileDate.Before(cutoffDate) { diff --git a/pkg/util/vhost/https_redirect.go b/pkg/util/vhost/https_redirect.go index c1acbf27..c63db3db 100644 --- a/pkg/util/vhost/https_redirect.go +++ b/pkg/util/vhost/https_redirect.go @@ -15,7 +15,9 @@ package vhost import ( + "net" "net/http" + "net/url" "strconv" "sync" @@ -73,11 +75,19 @@ func (r *HTTPSRedirector) Redirect(rw http.ResponseWriter, req *http.Request) bo return false } - target := "https://" + host - if r.port != 443 { - target += ":" + strconv.Itoa(r.port) + target := url.URL{ + Scheme: "https", + Host: host, + Path: req.URL.Path, + RawPath: req.URL.RawPath, + RawQuery: req.URL.RawQuery, } - target += req.URL.RequestURI() - http.Redirect(rw, req, target, http.StatusMovedPermanently) + if r.port != 443 { + target.Host = net.JoinHostPort(host, strconv.Itoa(r.port)) + } + // Not an open redirect: the host is validated against the registered + // domain set above, the scheme is fixed, and only the same-host path and + // query are echoed back. + http.Redirect(rw, req, target.String(), http.StatusMovedPermanently) //nolint:gosec // G710 return true }