From d6ae8bb30dbe54d592878c6a3fcd21672429336d Mon Sep 17 00:00:00 2001
From: Larry Gregory <larry.gregory@elastic.co>
Date: Tue, 22 Oct 2019 14:36:56 -0400
Subject: [PATCH] fixing NP validation bypass

---
 src/core/server/http/http_server.ts | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/core/server/http/http_server.ts b/src/core/server/http/http_server.ts
index d496737c88023..9d57fa08af35e 100644
--- a/src/core/server/http/http_server.ts
+++ b/src/core/server/http/http_server.ts
@@ -129,6 +129,8 @@ export class HttpServer {
       for (const route of router.getRoutes()) {
         this.log.debug(`registering route handler for [${route.path}]`);
         const { authRequired = true, tags } = route.options;
+        // Hapi does not allow payload validation to be specified for 'head' or 'get' requests
+        const validate = ['head', 'get'].includes(route.method) ? undefined : { payload: true };
         this.server.route({
           handler: route.handler,
           method: route.method,
@@ -140,9 +142,7 @@ export class HttpServer {
             // We are telling Hapi that NP routes can accept any payload, so that it can bypass the default
             // validation applied in ./http_tools#getServerOptions
             // (All NP routes are already required to specify their own validation in order to access the payload)
-            validate: {
-              payload: true,
-            },
+            validate,
           },
         });
       }