From 0d4cf8160bc5634ffd5539ebd651264ee75918b0 Mon Sep 17 00:00:00 2001 From: "opensearch-trigger-bot[bot]" <98922864+opensearch-trigger-bot[bot]@users.noreply.github.com> Date: Mon, 10 Jul 2023 16:48:06 +0800 Subject: [PATCH] fix: add validation on data.method when using transport.request (#801) (#803) * fix: add validation on data.method when using tranport.request * feat: add validation on endpoint * feat: add unit test * feat: add more protect --------- (cherry picked from commit 13fb97fac3db5d6af6ef03b2bee8e04c80de4094) Signed-off-by: SuZhoue-Joe Signed-off-by: SuZhou-Joe Co-authored-by: suzhou --- server/services/CommonService.test.ts | 97 +++++++++++++++++++++++++++ server/services/CommonService.ts | 34 +++++++++- 2 files changed, 130 insertions(+), 1 deletion(-) create mode 100644 server/services/CommonService.test.ts diff --git a/server/services/CommonService.test.ts b/server/services/CommonService.test.ts new file mode 100644 index 000000000..945f5fedb --- /dev/null +++ b/server/services/CommonService.test.ts @@ -0,0 +1,97 @@ +import { + ILegacyCustomClusterClient, + OpenSearchDashboardsRequest, + OpenSearchDashboardsResponseFactory, + RequestHandlerContext, +} from "opensearch-dashboards/server"; +import CommonService from "./CommonService"; + +const contextMock = { + core: {}, +} as RequestHandlerContext; +const responseMock = ({ + custom: jest.fn((args) => args), +} as unknown) as OpenSearchDashboardsResponseFactory; + +const mockedClient = { + callAsCurrentUser: jest.fn(), + callAsInternalUser: jest.fn(), + close: jest.fn(), + asScoped: jest.fn(() => ({ + callAsCurrentUser: jest.fn((...args) => args), + callAsInternalUser: jest.fn(), + })), +} as any; + +describe("CommonService spec", () => { + it("http method should valid when calling transport.request", async () => { + const commonService = new CommonService(mockedClient); + const result = await commonService.apiCaller( + contextMock, + { + body: { + endpoint: "transport.request", + data: { + method: "invalid method", + }, + }, + } as OpenSearchDashboardsRequest, + responseMock + ); + expect(result).toEqual({ + statusCode: 200, + body: { + ok: false, + error: `Method must be one of, case insensitive ['HEAD', 'GET', 'POST', 'PUT', 'DELETE']. Received 'invalid method'.`, + }, + }); + }); + + it("should return error when no endpoint is provided", async () => { + const commonService = new CommonService(mockedClient); + const result = await commonService.apiCaller( + contextMock, + { + body: { + endpoint: "", + }, + } as OpenSearchDashboardsRequest, + responseMock + ); + expect(result).toEqual({ + statusCode: 200, + body: { + ok: false, + error: `Expected non-empty string on endpoint`, + }, + }); + }); + + it("should patch path when data.path does not start with /", async () => { + const commonService = new CommonService(mockedClient); + const result = await commonService.apiCaller( + contextMock, + { + body: { + endpoint: "transport.request", + data: { + path: "", + }, + }, + } as OpenSearchDashboardsRequest, + responseMock + ); + expect(result).toEqual({ + statusCode: 200, + body: { + ok: true, + response: [ + "transport.request", + { + path: "/", + }, + ], + }, + }); + }); +}); diff --git a/server/services/CommonService.ts b/server/services/CommonService.ts index f264b10e8..a4eff7946 100644 --- a/server/services/CommonService.ts +++ b/server/services/CommonService.ts @@ -14,11 +14,13 @@ import { } from "../../../../src/core/server"; import { IAPICaller } from "../../models/interfaces"; +const VALID_METHODS = ["HEAD", "GET", "POST", "PUT", "DELETE"]; + export interface ICommonCaller { (arg: any): T; } -export default class IndexService { +export default class CommonService { osDriver: ILegacyCustomClusterClient; constructor(osDriver: ILegacyCustomClusterClient) { @@ -36,12 +38,42 @@ export default class IndexService { try { const { callAsCurrentUser: callWithRequest } = this.osDriver.asScoped(request); const finalData = data; + + /** + * The endpoint must not be an empty string, reference from proxy caller + */ + if (!endpoint) { + return response.custom({ + statusCode: 200, + body: { + ok: false, + error: `Expected non-empty string on endpoint`, + }, + }); + } + /** * Update path parameter to follow RFC/generic HTTP convention */ if (endpoint === "transport.request" && typeof finalData?.path === "string" && !/^\//.test(finalData?.path || "")) { finalData.path = `/${finalData.path || ""}`; } + + /** + * Check valid method here + */ + if (endpoint === "transport.request" && data?.method) { + if (VALID_METHODS.indexOf(data.method.toUpperCase?.()) === -1) { + return response.custom({ + statusCode: 200, + body: { + ok: false, + error: `Method must be one of, case insensitive ['HEAD', 'GET', 'POST', 'PUT', 'DELETE']. Received '${data.method}'.`, + }, + }); + } + } + const payload = useQuery ? JSON.parse(finalData || "{}") : finalData; const commonCallerResponse = await callWithRequest(endpoint, payload || {}); return response.custom({