Add additional guard against bypassing UpstreamProxy

psiphon/common/protocol/protocol.go

@@ -220,6 +220,14 @@ func TunnelProtocolSupportsPassthrough(protocol string) bool {
 		protocol == TUNNEL_PROTOCOL_UNFRONTED_MEEK_SESSION_TICKET
 }
 
+func TunnelProtocolSupportsUpstreamProxy(protocol string) bool {
+
+	// TODO: Marionette UDP formats are incompatible with
+	// UpstreamProxy, but not currently supported.
+
+	return !TunnelProtocolUsesQUIC(protocol)
+}
+
 func UseClientTunnelProtocol(
 	clientProtocol string,
 	serverProtocols TunnelProtocols) bool {

psiphon/common/protocol/serverEntry.go

@@ -483,9 +483,7 @@ func (serverEntry *ServerEntry) GetSupportedProtocols(
 
 	for _, protocol := range SupportedTunnelProtocols {
 
-		// TODO: Marionette UDP formats are incompatible with
-		// useUpstreamProxy, but not currently supported
-		if useUpstreamProxy && TunnelProtocolUsesQUIC(protocol) {
+		if useUpstreamProxy && !TunnelProtocolSupportsUpstreamProxy(protocol) {
 			continue
 		}
 

psiphon/dialParameters.go

@@ -329,6 +329,17 @@ func MakeDialParameters(
 		dialParams.TunnelProtocol = selectedProtocol
 	}
 
+	if config.UseUpstreamProxy() &&
+		!protocol.TunnelProtocolSupportsUpstreamProxy(dialParams.TunnelProtocol) {
+
+		// When UpstreamProxy is configured, ServerEntry.GetSupportedProtocols, when
+		// called via selectProtocol, will filter out protocols such that will not
+		// select a protocol incompatible with UpstreamProxy. This additional check
+		// will catch cases where selectProtocol does not apply this filter.
+		return nil, errors.Tracef(
+			"protocol does not support upstream proxy: %s", dialParams.TunnelProtocol)
+	}
+
 	if (!isReplay || !replayBPF) &&
 		ClientBPFEnabled() &&
 		protocol.TunnelProtocolUsesTCP(dialParams.TunnelProtocol) {