[Extensions] How to ensure REST Requests passed extension do not expose sensitive information? #4429
Labels
discuss
Issues intended to help drive brainstorming and decision making
enhancement
Enhancement or improvement to existing feature or request
Comments
peternied
added
enhancement
6 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
When recieving a REST API request that is registered to an extension parts of the request are serialized and sent to the extension so they can be processed. This is limited at the moment, but in the future extensions might need header information or other potentially sensitive properties.
How should we ensure that extensions only get limited information to keep there access properly limited?
Nightmare scenario: Extension gets the headers from a REST API request to OpenSearch, included is the Authentication header, the extension then impersonates the user using their permissions.
Describe the solution you'd like
Unsure
Describe alternatives you've considered
Don't forward any headers of any kind - might be too limiting
Have a specific list of allowed headers to provide - manually inspect this list to ensure it doesn't include COOKIE or AUTHENITICATION
Additional context
#4415 (comment)
The text was updated successfully, but these errors were encountered: