Omit adding the osd-version header when the Fetch request was expli…

…citly asked to not prepend the `basePath` Fixes #3277 Signed-off-by: Miki <[email protected]>
opensearch-project · Mar 22, 2023 · c55ee28 · c55ee28
1 parent de06344
commit c55ee28
Show file tree

Hide file tree

Showing 6 changed files with 25 additions and 5 deletions.
diff --git a/src/core/public/http/fetch.ts b/src/core/public/http/fetch.ts
@@ -31,6 +31,7 @@
 import { omitBy } from 'lodash';
 import { format } from 'url';
 import { BehaviorSubject } from 'rxjs';
+import { isRelativeUrl } from '@osd/std';
 
 import {
   IBasePath,
@@ -144,7 +145,6 @@ export class Fetch {
       headers: removedUndefined({
         'Content-Type': 'application/json',
         ...options.headers,
-        'osd-version': this.params.opensearchDashboardsVersion,
       }),
     };
 
@@ -158,6 +158,16 @@ export class Fetch {
       fetchOptions.headers['osd-system-request'] = 'true';
     }
 
+    /* `osd-version` is used on the server-side to make sure that an incoming request originated from a front-end
+     * of the same version; see core/server/http/lifecycle_handlers.ts
+     *
+     * If url equals `basePath,  starts with `basePath` + '/', or is relative, add `osd-version` header.
+     */
+    const basePath = this.params.basePath.get();
+    if (isRelativeUrl(url) || url === basePath || url.startsWith(`${basePath}/`)) {
+      fetchOptions.headers['osd-version'] = this.params.opensearchDashboardsVersion;
+    }
+
     return new Request(url, fetchOptions as RequestInit);
   }
 

diff --git a/src/core/server/http/integration_tests/lifecycle_handlers.test.ts b/src/core/server/http/integration_tests/lifecycle_handlers.test.ts
@@ -231,12 +231,14 @@ describe('core lifecycle handlers', () => {
             .expect(200, 'ok');
         });
 
+        // ToDo: Remove next; `osd-version` incorrectly used for satisfying XSRF protection
         it('accepts requests with the version header', async () => {
           await getSupertest(method.toLowerCase(), testPath)
             .set(versionHeader, actualVersion)
             .expect(200, 'ok');
         });
 
+        // ToDo: Rename next; `osd-version` incorrectly used for satisfying XSRF protection
         it('rejects requests without either an xsrf or version header', async () => {
           await getSupertest(method.toLowerCase(), testPath).expect(400, {
             statusCode: 400,
@@ -245,6 +247,7 @@ describe('core lifecycle handlers', () => {
           });
         });
 
+        // ToDo: Rename next; `osd-version` incorrectly used for satisfying XSRF protection
         it('accepts whitelisted requests without either an xsrf or version header', async () => {
           await getSupertest(method.toLowerCase(), whitelistedTestPath).expect(200, 'ok');
         });

diff --git a/src/core/server/http/lifecycle_handlers.test.ts b/src/core/server/http/lifecycle_handlers.test.ts
@@ -102,6 +102,7 @@ describe('xsrf post-auth handler', () => {
       expect(result).toEqual('next');
     });
 
+    // ToDo: Remove; `osd-version` incorrectly used for satisfying XSRF protection
     it('accepts requests with version header', () => {
       const config = createConfig({ xsrf: { whitelist: [], disableProtection: false } });
       const handler = createXsrfPostAuthHandler(config);
@@ -199,7 +200,7 @@ describe('versionCheck post-auth handler', () => {
     responseFactory = httpServerMock.createLifecycleResponseFactory();
   });
 
-  it('forward the request to the next interceptor if header matches', () => {
+  it('forward the request to the next interceptor if osd-version header matches the actual version', () => {
     const handler = createVersionCheckPostAuthHandler('actual-version');
     const request = forgeRequest({ headers: { 'osd-version': 'actual-version' } });
 
@@ -212,7 +213,7 @@ describe('versionCheck post-auth handler', () => {
     expect(result).toBe('next');
   });
 
-  it('returns a badRequest error if header does not match', () => {
+  it('returns a badRequest error if osd-version header exists but does not match the actual version', () => {
     const handler = createVersionCheckPostAuthHandler('actual-version');
     const request = forgeRequest({ headers: { 'osd-version': 'another-version' } });
 
@@ -236,7 +237,7 @@ describe('versionCheck post-auth handler', () => {
     expect(result).toBe('badRequest');
   });
 
-  it('forward the request to the next interceptor if header is not present', () => {
+  it('forward the request to the next interceptor if osd-version header is not present', () => {
     const handler = createVersionCheckPostAuthHandler('actual-version');
     const request = forgeRequest({ headers: {} });
 

diff --git a/src/core/server/http/lifecycle_handlers.ts b/src/core/server/http/lifecycle_handlers.ts
@@ -54,8 +54,9 @@ export const createXsrfPostAuthHandler = (config: HttpConfig): OnPostAuthHandler
     const hasVersionHeader = VERSION_HEADER in request.headers;
     const hasXsrfHeader = XSRF_HEADER in request.headers;
 
+    // ToDo: Remove !hasVersionHeader; `osd-version` incorrectly used for satisfying XSRF protection
     if (!isSafeMethod(request.route.method) && !hasVersionHeader && !hasXsrfHeader) {
-      return response.badRequest({ body: `Request must contain a ${XSRF_HEADER} header.` });
+      return response.badRequest({ body: `Request must contain the ${XSRF_HEADER} header.` });
     }
 
     return toolkit.next();

diff --git a/src/plugins/bfetch/public/plugin.ts b/src/plugins/bfetch/public/plugin.ts
@@ -95,6 +95,7 @@ export class BfetchPublicPlugin
       url: `${basePath}/${removeLeadingSlash(params.url)}`,
       headers: {
         'Content-Type': 'application/json',
+        'osd-xsrf': 'osd-bfetch',
         'osd-version': version,
         ...(params.headers || {}),
       },

diff --git a/src/plugins/opensearch_dashboards_legacy/public/angular/angular_config.tsx b/src/plugins/opensearch_dashboards_legacy/public/angular/angular_config.tsx
@@ -159,6 +159,8 @@ export const $setupXsrfRequestInterceptor = (version: string) => {
   // Configure jQuery prefilter
   $.ajaxPrefilter(({ osdXsrfToken = true }: any, originalOptions, jqXHR) => {
     if (osdXsrfToken) {
+      jqXHR.setRequestHeader('osd-xsrf', 'osd-legacy');
+      // ToDo: Remove next; `osd-version` incorrectly used for satisfying XSRF protection
       jqXHR.setRequestHeader('osd-version', version);
     }
   });
@@ -170,6 +172,8 @@ export const $setupXsrfRequestInterceptor = (version: string) => {
         request(opts) {
           const { osdXsrfToken = true } = opts as any;
           if (osdXsrfToken) {
+            set(opts, ['headers', 'osd-xsrf'], 'osd-legacy');
+            // ToDo: Remove next; `osd-version` incorrectly used for satisfying XSRF protection
             set(opts, ['headers', 'osd-version'], version);
           }
           return opts;