Versions Compared

Old Version 10

changes.mady.by.user Niamh Core

Saved on

compared with

New Version 11

changes.mady.by.user Niamh Core

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Jira
serverONAP Jira
columnIdsissuekey,summary,issuetype,created,updated,duedate,assignee,reporter,priority,status,resolution
columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
serverId425b2b0a-557c-3c0c-b515-579789cceedb
keyCPS-679
add rahuls bug 
Jira
serverONAP Jira
columnIdsissuekey,summary,issuetype,created,updated,duedate,assignee,reporter,priority,status,resolution
columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
serverId425b2b0a-557c-3c0c-b515-579789cceedb
keyCPS-678


Open Issues

1Which option to choose from the below solutions?
2For solution no.1, should fields be a known parameter and queries can be an unknown parameter?

...


DescriptionExamplePros & Cons
1Change resource Identifier from a path param to a query param in the openapi.yml
resource identifier will be mandatory 
options will be optional. It can contain any query param with comma seperated value

Sample of url
ncmp/passthorough:Operational?resourceIdentifer=turingmachine:turingmachine/xyz/abc&queryoptions={depth=6,fields=abc/x/y/c}

Sample of definiton in openapi.yaml
resourceIdentifierInPath:
  name: resourceIdentifier
  in: query
  description: Resource identifier to get/set the resource data
  required: true
  schema:
    type: string

Pros
we are still using open API

Cons
We are changing the URL 

Does not have a single resource path

2Keep it as path param also but we need to assume that all values after this slash belong to this resource only

/passthrough:Operational/{resource-identifier: .+}


As it is single param and if you enter the value by URL encoding then you have to change spring HttpFirewall 

 final StrictHttpFirewall firewall = new StrictHttpFirewall();
        firewall.setAllowUrlEncodedSlash(true);
https://programmer.help/blogs/spring-security-has-its-own-firewall-you-don-t-know-how-secure-your-system-is.html






Pros
We can still use open API

Cons of this workaround
This workaround is not advised as allows remote attackers to read arbitrary files
via a .. (dot dot) sequence with combinations of (1) "/" (slash), (2) "\" (backslash), and (3) URL-encoded backslash (%5C)
characters in the URL
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450
https://www.baeldung.com/spring-slash-character-in-url

3Create a method in the controller without using open API


Code Block
languagejava
    @RequestMapping(value = "/v1/ch/{cmHandle}/data/ds/ncmp-datastore:passthrough-running/**",
        produces = {"application/json"},
        consumes = {"application/json"},
        method = RequestMethod.PUT)
    public ResponseEntity<Object> getResourceDataPassthroughRunningForCmHandle(
        @PathVariable("cmHandle") String cmHandle, HttpServletRequest resourceIdentifier
        ,@RequestBody DataAccessReadRequest body,
        @RequestHeader(value = "accept", required = false) String accept
        ,@RequestParam(value = "fields", required = false) String fields
        , @Min(1) @Valid @RequestParam(value = "depth", required = false) Integer depth
    ) {
        final var modulesListAsJson = dmiService.getResourceDataPassThroughRunningForCmHandle(cmHandle,
            resourceIdentifier.toString(),
            accept,
            fields,
            depth,
            body.getCmHandleProperties());
        return ResponseEntity.ok(modulesListAsJson);
    }




Pros

We may need to use this approach for other methods.

Does not change the url

Cons

Does not use open API

...