-
Notifications
You must be signed in to change notification settings - Fork 923
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Omit adding the osd-version
header when the Fetch request is to an external origin
#3643
Omit adding the osd-version
header when the Fetch request is to an external origin
#3643
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the failures since we utilized this for XRSF.
if (!isSafeMethod(request.route.method) && !hasVersionHeader && !hasXsrfHeader) { |
It might not be the proper way of handling XSRF but by removing it causes these errors to be thrown.
4236cef
to
fb9468f
Compare
fb9468f
to
c55ee28
Compare
If it is a |
c55ee28
to
d8be993
Compare
osd-version
header when the Fetch request was explicitly asked to not prepend the basePath
osd-version
header when the _Fetch_ request is to an external origin
osd-version
header when the _Fetch_ request is to an external originosd-version
header when the Fetch request is to an external origin
d8be993
to
f0b5ae9
Compare
f0b5ae9
to
18a3b21
Compare
@AMoo-Miki There are some snapshots that need updating. |
18a3b21
to
ead7e34
Compare
Oops; i thought i committed and pushed it... just did. |
ead7e34
to
b22eba6
Compare
b22eba6
to
c71b2ac
Compare
…external origin * Making `fetch` requests using core/public/http/fetch, an `osd-version` header is forcefully added, even to external requests. This change examines the destination and only adds the header to relative URLs and those that are to OSD itself. * This change also adds `osd-xsrf` to calls that use `osd-version` incorrectly to satisfy XSRF protection Fixes opensearch-project#3277 Signed-off-by: Miki <[email protected]>
c71b2ac
to
ff6f6f6
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think looks good to me. Pulled it down working. It's also working with the basic settings for security plugin.
One thing I'm not able to completely test is if any functionality relied on the osd-version
header being present just so the redirect can be attached to the request and not fail.
For example, on main
:
This succeeds:
curl localhost:5601/hdn/api/status -ku 'admin:admin'
This succeeds:
curl localhost:5601/hdn/api/status -ku 'admin:admin' -H osd-version:3.0.0
This succeeds:
curl localhost:5601/hdn/api/status -ku 'admin:admin' -H osd-version:
This fails:
curl localhost:5601/hdn/api/status -ku 'admin:admin' -H osd-version:3.5.0
Which makes sense because the version mismatch. So if any functionality outside of what I tested relied on the osd-version and utilized the fetch call might be broken if the fetch was passed from one request to another.
So I don't know want to block it on something that I can't test especially if the value being not present still works for us. But I do believe we might want to mention in higher in the changelog.
Like something that mentions,
HTTP Fetch from Core OpenSearch Dashboards no longer default appends the osd-version
.
Rocky, this change makes sure |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@AMoo-Miki Is there a follow-up issue already created to keep track of these todos?
@@ -54,8 +54,9 @@ export const createXsrfPostAuthHandler = (config: HttpConfig): OnPostAuthHandler | |||
const hasVersionHeader = VERSION_HEADER in request.headers; | |||
const hasXsrfHeader = XSRF_HEADER in request.headers; | |||
|
|||
// ToDo: Remove !hasVersionHeader; `osd-version` incorrectly used for satisfying XSRF protection |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit - todo comments should have issues opened to link to.
…external origin (#3643) * Making `fetch` requests using core/public/http/fetch, an `osd-version` header is forcefully added, even to external requests. This change examines the destination and only adds the header to relative URLs and those that are to OSD itself. * This change also adds `osd-xsrf` to calls that use `osd-version` incorrectly to satisfy XSRF protection Fixes #3277 Signed-off-by: Miki <[email protected]> (cherry picked from commit 0762566) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> # Conflicts: # CHANGELOG.md
…quest is to an external origin (#3867) * Omit adding the `osd-version` header when the Fetch request is to an external origin (#3643) * Making `fetch` requests using core/public/http/fetch, an `osd-version` header is forcefully added, even to external requests. This change examines the destination and only adds the header to relative URLs and those that are to OSD itself. * This change also adds `osd-xsrf` to calls that use `osd-version` incorrectly to satisfy XSRF protection Fixes #3277 Signed-off-by: Miki <[email protected]> (cherry picked from commit 0762566) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> # Conflicts: # CHANGELOG.md * add changelog Signed-off-by: Josh Romero <[email protected]> --------- Signed-off-by: Josh Romero <[email protected]> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Josh Romero <[email protected]>
Description
fetch
requests using core/public/http/fetch, anosd-version
header is forcefully added, even to external requests. This change examines the destination and only adds the header to relative URLs and those that are to OSD itself.osd-xsrf
to calls that useosd-version
incorrectly to satisfy XSRF protectionIssues Resolved
Fixes #3277
Check List
yarn test:jest
yarn test:jest_integration
yarn test:ftr