From 8b7389a77ccb6113414ee48ba38dec095bf70b61 Mon Sep 17 00:00:00 2001
From: Larry Gregory <larry.gregory@elastic.co>
Date: Tue, 22 Oct 2019 13:55:34 -0400
Subject: [PATCH] documenting changes

---
 src/core/server/http/http_server.ts |  7 +++++++
 src/core/server/http/http_tools.ts  | 10 +++++++---
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/src/core/server/http/http_server.ts b/src/core/server/http/http_server.ts
index d6077200d3c75..d496737c88023 100644
--- a/src/core/server/http/http_server.ts
+++ b/src/core/server/http/http_server.ts
@@ -136,6 +136,13 @@ export class HttpServer {
           options: {
             auth: authRequired ? undefined : false,
             tags: tags ? Array.from(tags) : undefined,
+            // TODO: This 'validate' section can be removed once the legacy platform is completely removed.
+            // We are telling Hapi that NP routes can accept any payload, so that it can bypass the default
+            // validation applied in ./http_tools#getServerOptions
+            // (All NP routes are already required to specify their own validation in order to access the payload)
+            validate: {
+              payload: true,
+            },
           },
         });
       }
diff --git a/src/core/server/http/http_tools.ts b/src/core/server/http/http_tools.ts
index ad3d88f6339c7..b3a1cb40cb14a 100644
--- a/src/core/server/http/http_tools.ts
+++ b/src/core/server/http/http_tools.ts
@@ -46,6 +46,10 @@ export function getServerOptions(config: HttpConfig, { configureTLS = true } = {
         options: {
           abortEarly: false,
         },
+        // TODO: This payload validation can be removed once the legacy platform is completely removed.
+        // This is a default payload validation which applies to all LP routes which do not specify their own
+        // `validate.payload` handler, in order to reduce the likelyhood of prototype pollution vulnerabilities.
+        // (All NP routes are already required to specify their own validation in order to access the payload)
         payload: value => Promise.resolve(validateObject(value)),
       },
     },
@@ -119,14 +123,14 @@ export function createServer(serverOptions: ServerOptions, listenerOptions: List
 export interface HapiValidationError extends ValidationError {
   output: {
     statusCode: number;
-    headers: Util.Dictionary<string | string[]>;
+    headers: Util.Dictionary<string | Array<string>>;
     payload: {
       statusCode: number;
       error: string;
       message?: string;
       validation: {
         source: string;
-        keys: string[];
+        keys: Array<string>;
       };
     };
   };
@@ -148,7 +152,7 @@ export function defaultValidationErrorHandler(
   //     https://github.com/hapijs/hapi/blob/master/lib/validation.js#L102
   if (err && err.name === 'ValidationError' && err.hasOwnProperty('output')) {
     const validationError: HapiValidationError = err as HapiValidationError;
-    const validationKeys: string[] = [];
+    const validationKeys: Array<string> = [];
 
     validationError.details.forEach(detail => {
       if (detail.path.length > 0) {