Does not prevent URL encoded API interaction

This proxy is a great idea and very simple. I've started having a look at whether this would suit some of my use-cases, and have found that due to it's blacklist approach there are ways of working around the controls.

If a user submits a request to the API in a non-ascii format, such as URL encoded, the request doesn't match the regex and is thus allowed:

$ curl http://localhost:2375/v1.24/containers/json
<html><body><h1>403 Forbidden</h1>
Request forbidden by administrative rules.
</body></html>

Submitting the same with the 1 replaced with it's URL encoded format %31 the request is allowed:

$ curl http://localhost:2375/v%31.24/containers/json
[{"Id":"26b2cee8328bd45919fe825073c3754de3abba78992f3970b7f97967d9cad777","Names":["/dockerproxy"],"Image":"tecnativa/docker-socket-proxy","ImageID":"sha256:f546af4b04b12997210dcac107ecd8f3aa6155008d53dadc2a853e5b06ab1fe2","Command":"/docker-entrypoint.sh haproxy -f /usr/local/etc/haproxy/haproxy.cfg","Created":1499066538,"Ports":[{"IP":"127.0.0.1","PrivatePort":2375,"PublicPort":2375,"Type":"tcp"}],"Labels":{"org.label-schema.build-date":"2017-03-31 11:33:22.424874532+00:00","org.label-schema.license":"Apache-2.0","org.label-schema.schema-version":"1.0","org.label-schema.vcs-ref":"0715eb786b603fcd0be319f34efcca6a659f5ae4","org.label-schema.vcs-url":"https://github.com/Tecnativa/docker-tcp-proxy","org.label-schema.vendor":"Tecnativa"},"State":"running","Status":"Up 5 days","HostConfig":{"NetworkMode":"default"},"NetworkSettings":{"Networks":{"bridge":{"IPAMConfig":null,"Links":null,"Aliases":null,"NetworkID":"da0b314d6703f8ff34dbb7c85adaf135676a0aefd783f7fd6169841154f623f3","EndpointID":"dde6a306117204ec3af30d125c469d943c56766ec5683519a75b7b94c230a0eb","Gateway":"172.17.0.1","IPAddress":"172.17.0.2","IPPrefixLen":16,"IPv6Gateway":"","GlobalIPv6Address":"","GlobalIPv6PrefixLen":0,"MacAddress":"02:42:ac:11:00:02"}}},"Mounts":[{"Type":"bind","Source":"/var/run/docker.sock","Destination":"/var/run/docker.sock","Mode":"","RW":true,"Propagation":""}]}]

I think a whitelist approach may be a better way to go - have you had any thoughts about this? Will have a tinker and see if I can get a PR together.

[yajo]

Yeah, very good catch and very good idea! If you are preparing a PR, I'll wait, so we don't lose time both of us in the same thing. 😊

Thanks!

I had a start, but this project is my first foray into HAProxy so trying to change to a whitelist became a mess haha. I had a look at blacklisting various characters but encountered some issues. I hope to have a PR to add to the blacklist approach by the end of the week.

[yajo]

Yeah, the first slap against HAProxy configs is hard, I'll wait 😉

I have a possible way of doing this - moving into acls and utilising url_dec. Do you see issues with something like this?

acl containers path,url_dec -m reg -i ^(/v[\d\.]+)?/containers
http-request deny if  containers ! { env(CONTAINERS) -m bool }

[yajo]

Cool! PR?

Will do so today :)