White_list with invalid regex expression cause tyk panic

Alexandre_Wintrebert · March 31, 2025, 1:59pm

Branch/Environment/Version

Branch/Version: release-5.7.2
Environment: On-prem

Describe the bug
Invalid regular expression like /actuator/** (in my case generated automaticaly by spring-boot) is cause of panic on the first call. not crash when loading api, it crach when you call tyk at first time.

Reproduction steps
1 - Put in apps this api:

{
“name”: “Tyk Test API”,
“api_id”: “1”,
“org_id”: “default”,
“use_keyless”: true,

"auth": {
    "auth_header_name": "authorization"
},
"version_data": {
    "not_versioned": true,
    "versions": {
        "Default": {
            "name": "Default",
            "expires": "3000-01-02 15:04",
            "use_extended_paths": true,
            "extended_paths": {
                "ignored": [],
                "white_list": [
                    
                    {
                        "disabled": false,
                        "path": "/actuator/**",
                        "method": "GET",
                        "ignore_case": false
                    }

                ],
                "black_list": []
            }
        }
    }
},
"proxy": {
    "listen_path": "/tyk-api-test/",
    "target_url": "http://httpbin.org",
    "strip_listen_path": true
},
"enable_batch_request_support": true

}

2 : invoke api with anything uri:

curl http://localhost:8080/tyk-api-test/actuator/live

3: You’r handler have crashed:

2025/03/31 13:54:42 http: panic serving 127.0.0.1:46460: runtime error: invalid memory address or nil pointer dereference
goroutine 80 [running]:
net/http.(*conn).serve.func1()
/usr/local/go/src/net/http/server.go:1947 +0xbe
panic({0x2f9eea0?, 0x549e290?})
/usr/local/go/src/runtime/panic.go:787 +0x132
github.com/TykTechnologies/tyk/regexp.(*Regexp).MatchString(...)
/home/tyk-user/tyk-org/tyk/regexp/regexp.go:175
github.com/TykTechnologies/tyk/gateway.(*URLSpec).matchesPath(0xc00071ca08, {0xc0000567c4, 0x11}, 0xc00059f008)
/home/tyk-user/tyk-org/tyk/gateway/model_urlspec.go:115 +0x117
github.com/TykTechnologies/tyk/gateway.(*APISpec).URLAllowedAndIgnored(0xc00059f008, 0xc00046c780, {0xc00071ca08, 0x1, 0x2e974c0?}, 0x1)
/home/tyk-user/tyk-org/tyk/gateway/api_definition.go:1491 +0xa6
github.com/TykTechnologies/tyk/gateway.(*APISpec).RequestValid(0xc00059f008, 0xc00046c780)
/home/tyk-user/tyk-org/tyk/gateway/api_definition.go:1697 +0x172
github.com/TykTechnologies/tyk/gateway.(*VersionCheck).ProcessRequest(0xc00086b630, {0x3a01110, 0xc0001cc620}, 0xc00046c780, {0x1fb46a0?, 0xc000648440?})
/home/tyk-user/tyk-org/tyk/gateway/mw_version_check.go:118 +0x705
github.com/TykTechnologies/tyk/gateway.TraceMiddleware.ProcessRequest({{0x3a19680?, 0xc00086b630?}}, {0x3a01110, 0xc0001cc620}, 0xc00046c780, {0x0, 0x0})
/home/tyk-user/tyk-org/tyk/gateway/middleware.go:103 +0x51a
github.com/TykTechnologies/tyk/gateway.(*Gateway).createMiddleware.func1.1({0x3a01110, 0xc0001cc620}, 0xc00046c780)
/home/tyk-user/tyk-org/tyk/gateway/middleware.go:171 +0x988
net/http.HandlerFunc.ServeHTTP(0xc00046c500?, {0x3a01110?, 0xc0001cc620?}, 0x7fd03397d108?)
/usr/local/go/src/net/http/server.go:2294 +0x29
github.com/gorilla/mux.(*Router).ServeHTTP(0xc00062e900, {0x3a01110, 0xc0001cc620}, 0xc00046c3c0)
/home/tyk-user/go/pkg/mod/github.com/gorilla/[email protected]/mux.go:212 +0x1e2
github.com/TykTechnologies/tyk/gateway.(*handleWrapper).ServeHTTP(0xc00092c300, {0x3a01110, 0xc0001cc620}, 0xc00046c3c0)
/home/tyk-user/tyk-org/tyk/gateway/proxy_muxer.go:104 +0x26f
The Go Programming Language({{0x39eafa0?, 0xc00092c300?}, 0xc00047c770?}, {0x3a01110, 0xc0001cc620}, 0xc00046c3c0)
/home/tyk-user/go/pkg/mod/golang.org/x/[email protected]/http2/h2c/h2c.go:125 +0x673
github.com/TykTechnologies/tyk/gateway.(*h2cWrapper).ServeHTTP(0x476799?, {0x3a01110?, 0xc0001cc620?}, 0xc000961b70?)
/home/tyk-user/tyk-org/tyk/gateway/proxy_muxer.go:46 +0x26
net/http.serverHandler.ServeHTTP({0xc0007ad320?}, {0x3a01110?, 0xc0001cc620?}, 0x1?)
/usr/local/go/src/net/http/server.go:3301 +0x8e
net/http.(*conn).serve(0xc0007f7440, {0x3a074f0, 0xc0007ac930})
/usr/local/go/src/net/http/server.go:2102 +0x625
created by net/http.(*Server).Serve in goroutine 42
/usr/local/go/src/net/http/server.go:3454 +0x485

Expected behaviour
when invalid path are detected, a simply beavhiour are to log as error, and ignore it when call api, not crash

Configuration (tyk config file):
this is out-of-box configuration. i have clone repo gateway, checkout release-7.5.2. and go run main.go

Additional context
I have make an correction on fork version like this:
model_urlspec.go

func (a *URLSpec) matchesPath(reqPath string, api *APISpec) bool {
clean := api.StripListenPath(reqPath)
noVersion := api.StripVersionPath(clean)
--- fork correction part ---
// invalid path compilation, ignore it
if a.spec == nil {
return false
}
— end fork correction part —

// match /users
if noVersion != clean && a.spec.MatchString(noVersion) {
return true
}
// match /v3/users
if a.spec.MatchString(clean) {
return true
}
// match /listenpath/v3/users
if a.spec.MatchString(reqPath) {
return true
}
return false
}