Merge remote-tracking branch 'upstream/release_25.0' into merge_25.0_into_25.1_oct

ahmedhamidawan · ahmedhamidawan · commit 14b118a493d7 · 2025-10-30T11:31:00.000-05:00
diff --git a/lib/galaxy/config/sample/datatypes_conf.xml.sample b/lib/galaxy/config/sample/datatypes_conf.xml.sample
@@ -143,7 +143,7 @@
     <datatype extension="las" type="galaxy.datatypes.binary:Binary" mimetype="application/vnd.las" subclass="true" display_in_upload="true" description="The LAS (LASer) format is a file format designed for the interchange and archiving of Lidar point cloud data." description_url="https://www.loc.gov/preservation/digital/formats/fdd/fdd000418.shtml">
         <infer_from suffix="las" />
     </datatype>
-    <datatype extension="laz" type="galaxy.datatypes.binary:Binary" mimetype="application/vnd.las" subclass="true" display_in_upload="true" description="LAZ is an open format for lossless compression of LAS." description_url="https://downloads.rapidlasso.de/doc/laszip.pdf">
+    <datatype extension="laz" type="galaxy.datatypes.binary:Binary" mimetype="application/vnd.laszip" subclass="true" display_in_upload="true" description="LAZ is an open format for lossless compression of LAS." description_url="https://downloads.rapidlasso.de/doc/laszip.pdf">
         <infer_from suffix="laz" />
     </datatype>
     <datatype extension="d3_hierarchy" type="galaxy.datatypes.text:Json" mimetype="application/json" subclass="true" display_in_upload="true"/>
diff --git a/lib/galaxy/webapps/galaxy/api/proxy.py b/lib/galaxy/webapps/galaxy/api/proxy.py
@@ -3,7 +3,10 @@
 """
 
 import logging
-from urllib.parse import urlparse
+from urllib.parse import (
+    urljoin,
+    urlparse,
+)
 
 import httpx
 from fastapi import (
@@ -36,6 +39,7 @@
 )
 
 ALLOWED_SCHEMES = ("https", "http")
+MAX_REDIRECTS = 5
 
 
 def is_valid_url(url: str) -> bool:
@@ -60,12 +64,9 @@ async def proxy(self, request: Request, url: str = URLQueryParam, trans: Provide
         if trans.anonymous:
             raise UserRequiredException("Anonymous users are not allowed to access this endpoint")
 
-        if not is_valid_url(url):
-            raise RequestParameterInvalidException("Invalid URL format.")
-
-        validate_uri_access(url, trans.user_is_admin, trans.app.config.fetch_url_allowlist_ips)
+        self._validate_url_and_access(url, trans)
 
-        headers = {}
+        headers: dict[str, str] = {}
         if "range" in request.headers:
             headers["Range"] = self._validate_range_header(request.headers["range"])
 
@@ -74,9 +75,8 @@ async def proxy(self, request: Request, url: str = URLQueryParam, trans: Provide
         timeout = httpx.Timeout(10.0, connect=60.0)
 
         client = httpx.AsyncClient(timeout=timeout)
-        response = None
         try:
-            response = await client.request(method=request.method, url=url, headers=headers, follow_redirects=True)
+            response = await self._handle_redirects_validation(request, url, trans, headers, client)
 
             if request.method == "GET":
                 # Return a streaming response for GET requests
@@ -113,6 +113,55 @@ async def stream_with_cleanup():
                     await response.aclose()
                 await client.aclose()
 
+    async def _handle_redirects_validation(
+        self,
+        request: Request,
+        url: str,
+        trans: ProvidesUserContext,
+        headers: dict[str, str],
+        client: httpx.AsyncClient,
+    ) -> httpx.Response:
+        """Handle redirects manually to validate each redirect URL."""
+        response = None
+        current_url = url
+        redirect_count = 0
+
+        while redirect_count <= MAX_REDIRECTS:
+            response = await client.request(
+                method=request.method, url=current_url, headers=headers, follow_redirects=False
+            )
+
+            if self._is_redirect_response(response):
+                redirect_count += 1
+                if redirect_count > MAX_REDIRECTS:
+                    raise RequestParameterInvalidException("Too many redirects")
+
+                redirect_location = response.headers["location"]
+
+                # Handle relative URLs by resolving them against the current URL
+                redirect_url = urljoin(current_url, redirect_location)
+
+                self._validate_url_and_access(redirect_url, trans)
+
+                # Close current response and follow the validated redirect
+                await response.aclose()
+                current_url = redirect_url
+            else:
+                # Not a redirect, we have our final response
+                break
+
+        assert response is not None, "Response should not be None after redirect loop"
+        return response
+
+    def _validate_url_and_access(self, url: str, trans: ProvidesUserContext):
+        if not is_valid_url(url):
+            raise RequestParameterInvalidException("Invalid URL format.")
+
+        validate_uri_access(url, trans.user_is_admin, trans.app.config.fetch_url_allowlist_ips)
+
+    def _is_redirect_response(self, response: httpx.Response) -> bool:
+        return response.status_code in (301, 302, 303, 307, 308) and "location" in response.headers
+
     def _validate_range_header(self, range_header: str) -> str:
         """
         Validate the Range header format and values.
diff --git a/lib/galaxy_test/api/test_proxy.py b/lib/galaxy_test/api/test_proxy.py
@@ -1,3 +1,9 @@
+from unittest.mock import (
+    AsyncMock,
+    MagicMock,
+    patch,
+)
+
 import pytest
 
 from galaxy.util.unittest_utils import skip_if_github_down
@@ -88,3 +94,80 @@ def test_proxy_handles_encoding(self):
         assert len(response.content) > 0
         # Verify content-encoding header was properly filtered out (no double decompression)
         assert "content-encoding" not in response.headers
+
+    @patch("galaxy.webapps.galaxy.api.proxy.httpx.AsyncClient")
+    def test_proxy_validates_redirects(self, mock_client_class):
+        """Test that redirects are validated."""
+        # Create mock responses - redirect to a local file (invalid scheme)
+        redirect_response = MagicMock()
+        redirect_response.status_code = 302
+        redirect_response.headers = {"location": "file://internal-server/secret-files"}
+        redirect_response.aclose = AsyncMock()
+
+        # Setup mock client
+        mock_client = MagicMock()
+        mock_client.request = AsyncMock(return_value=redirect_response)
+        mock_client.aclose = AsyncMock()
+        mock_client_class.return_value = mock_client
+
+        # Attempt to proxy a URL that redirects to file:// (should be blocked)
+        response = self._get("proxy?url=https://evil.com/redirect")
+
+        # Should fail with 400 Bad Request due to invalid redirect URL scheme
+        self._assert_status_code_is(response, 400)
+        assert "Invalid URL format" in response.json()["err_msg"]
+
+    @patch("galaxy.webapps.galaxy.api.proxy.httpx.AsyncClient")
+    def test_proxy_follows_valid_redirects(self, mock_client_class):
+        """Test that valid redirects are followed after validation."""
+        # Create mock responses
+        redirect_response = MagicMock()
+        redirect_response.status_code = 301
+        redirect_response.headers = {"location": "https://example.com/final"}
+        redirect_response.aclose = AsyncMock()
+
+        final_response = MagicMock()
+        final_response.status_code = 200
+        final_response.headers = {"content-type": "text/plain"}
+        final_response.aclose = AsyncMock()
+
+        # Create async generator for streaming
+        async def mock_stream():
+            yield b"test content"
+
+        final_response.aiter_bytes = mock_stream
+
+        # Setup mock client to return redirect first, then final response
+        mock_client = MagicMock()
+        mock_client.request = AsyncMock(side_effect=[redirect_response, final_response])
+        mock_client.aclose = AsyncMock()
+        mock_client_class.return_value = mock_client
+
+        # Proxy a URL that redirects to a valid external URL
+        response = self._get("proxy?url=https://example.com/redirect")
+
+        # Should succeed and follow the redirect
+        self._assert_status_code_is_ok(response)
+        assert b"test content" in response.content
+
+    @patch("galaxy.webapps.galaxy.api.proxy.httpx.AsyncClient")
+    def test_proxy_blocks_too_many_redirects(self, mock_client_class):
+        """Test that excessive redirects are blocked to prevent redirect loops."""
+        # Create a mock response that always redirects
+        redirect_response = MagicMock()
+        redirect_response.status_code = 302
+        redirect_response.headers = {"location": "https://example.com/loop"}
+        redirect_response.aclose = AsyncMock()
+
+        # Setup mock client
+        mock_client = MagicMock()
+        mock_client.request = AsyncMock(return_value=redirect_response)
+        mock_client.aclose = AsyncMock()
+        mock_client_class.return_value = mock_client
+
+        # Attempt to proxy a URL that loops redirects
+        response = self._get("proxy?url=https://example.com/loop")
+
+        # Should fail with 400 Bad Request due to too many redirects
+        self._assert_status_code_is(response, 400)
+        assert "Too many redirects" in response.json()["err_msg"]
