Ensure proxy passed in X-Upstream-Https-Proxy is parsable

pkg/smokescreen/smokescreen.go

@@ -941,6 +941,9 @@ func checkACLsForRequest(config *Config, req *http.Request, destination hostport
 
 	if connectProxyHost != "" {
 		connectProxyUrl, err := url.Parse(connectProxyHost)
+		if err == nil && connectProxyUrl.Hostname() == "" {
+			err = errors.New("proxy header contains invalid URL. The correct format is https://[username:password@]my.proxy.srv:12345")
+		}
 
 		if err != nil {
 			config.Log.WithFields(logrus.Fields{

pkg/smokescreen/smokescreen_test.go

@@ -1270,6 +1270,34 @@ func TestCONNECTProxyACLs(t *testing.T) {
 		r.Equal(false, entry.Data["allow"])
 	})
 
+	t.Run("Blocks if proxy can't be parsed when the X-Upstream-Https-Proxy header is set", func(t *testing.T) {
+		h := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			w.Write([]byte("OK"))
+		})
+		r := require.New(t)
+		l, err := net.Listen("tcp", "localhost:0")
+		r.NoError(err)
+		cfg, err := testConfig("test-external-connect-proxy-blocked-srv")
+		r.NoError(err)
+		cfg.Listener = l
+
+		err = cfg.SetAllowAddresses([]string{"127.0.0.1"})
+		r.NoError(err)
+
+		internalToStripeProxy := proxyServer(cfg)
+		remote := httptest.NewTLSServer(h)
+
+		client, err := proxyClientWithConnectHeaders(internalToStripeProxy.URL, http.Header{"X-Upstream-Https-Proxy": []string{"google.com"}})
+		r.NoError(err)
+
+		req, err := http.NewRequest("GET", remote.URL, nil)
+		r.NoError(err)
+
+		_, err = client.Do(req)
+		r.Error(err)
+		r.Contains(err.Error(), "Request rejected by proxy")
+	})
+
 	t.Run("Allows an approved proxy when the X-Upstream-Https-Proxy header is set", func(t *testing.T) {
 		h := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			w.Write([]byte("OK"))