Versions Compared

Old Version 5

changes.mady.by.user Niamh Core

Saved on

compared with

New Version 6

changes.mady.by.user Niamh Core

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Solutions


DescriptionExamplePros & Cons
1Change resource Identifier from a path param to a query param in the openapi.yml
Sample of url
ncmp/passthorough:Operational?resourceIdentifer=turingmachine:turingmachine/xyz/abc&query={depth=6,fields=abc/x/y/c}

Sample of definiton in openapi.yaml
resourceIdentifierInPath:
  name: resourceIdentifier
  in: query
  description: Resource identifier to get/set the resource data
  required: true
  schema:
    type: string
Pros
we are still using open API

Cons
We are changing the URL 
2Keep it as path param also but we need to assume that all values after this slash belong to this resource only

/passthorough:Operational/{resource-identifier: .+}.


As it is single param and if you enter the value by url URL encoding then you have to change spring HttpFirewall 

 final StrictHttpFirewall firewall = new StrictHttpFirewall();
        firewall.setAllowUrlEncodedSlash(true);
https://programmer.help/blogs/spring-security-has-its-own-firewall-you-don-t-know-how-secure-your-system-is.html






Pros
We can still use open API

Cons

of

this

work around

workaround
This

work around

workaround is

not

advised

as

allows

remote

attackers

to

read

arbitrary

files


via

a

..

(dot

dot)

sequence

with

combinations

of

(1)

"/"

(slash),

(2)

"\"

(backslash),

and

(3)

URL-encoded

backslash

(%5C)


characters

in

the

URL
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450
https://www.baeldung.com/spring-slash-character-in-url

3Create a method in the controller without using open apiAPI


Code Block
languagejava
    @RequestMapping(value = "/v1/ch/{cmHandle}/data/ds/ncmp-datastore:passthrough-running/**",
        produces = {"application/json"},
        consumes = {"application/json"},
        method = RequestMethod.PUT)
    public ResponseEntity<Object> getResourceDataPassthroughRunningForCmHandle(
        @PathVariable("cmHandle") String cmHandle, HttpServletRequest resourceIdentifier
        ,@RequestBody DataAccessReadRequest body,
        @RequestHeader(value = "accept", required = false) String accept
        ,@RequestParam(value = "fields", required = false) String fields
        , @Min(1) @Valid @RequestParam(value = "depth", required = false) Integer depth
    ) {
        final var modulesListAsJson = dmiService.getResourceDataPassThroughRunningForCmHandle(cmHandle,
            resourceIdentifier.toString(),
            accept,
            fields,
            depth,
            body.getCmHandleProperties());
        return ResponseEntity.ok(modulesListAsJson);
    }




Pros

We may need to use this approach for other methods.

Does not change the url

Cons

Does not use open API