You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 10 Next »

CPS-679 - Getting issue details... STATUS add rahuls bug


Open Issues

1Which option to choose from the below solutions?
2For solution no.1, should fields be a known parameter and queries can be an unknown parameter?

Description of the bug

Currently, NCMP does NOT support / slashes in the resource identifier as the OpenAPI definition would regard that as separate REST paths ie. a different rest endpoint

Slashes are currently not supported by open API for path params - https://github.com/OAI/OpenAPI-Specification/issues/892#issuecomment-281170254


Currently supported

/v1/ch/node1/data/ds/ncmp-datastore:passthrough-operational/turing-machine:turing-machine?fields=transition-function?depth=3
Wanted (currently not) supported


/v1/ch/node1/data/ds/ncmp-datastore:passthrough-operational/turing-machine:turing-machine/transition-function?depth=5



Solutions

DescriptionExamplePros & Cons
1Change resource Identifier from a path param to a query param in the openapi.yml
Sample of url
ncmp/passthorough:Operational?resourceIdentifer=turingmachine:turingmachine/xyz/abc&query={depth=6,fields=abc/x/y/c}

Sample of definiton in openapi.yaml
resourceIdentifierInPath:
  name: resourceIdentifier
  in: query
  description: Resource identifier to get/set the resource data
  required: true
  schema:
    type: string
Pros
we are still using open API

Cons
We are changing the URL 
Does not have a single resource path
2Keep it as path param also but we need to assume that all values after this slash belong to this resource only
/passthrough:Operational/{resource-identifier: .+}

As it is single param and if you enter the value by URL encoding then you have to change spring HttpFirewall 
 final StrictHttpFirewall firewall = new StrictHttpFirewall();
        firewall.setAllowUrlEncodedSlash(true);
https://programmer.help/blogs/spring-security-has-its-own-firewall-you-don-t-know-how-secure-your-system-is.html






Pros
We can still use open API
Cons of this workaround 
This workaround is not advised as allows remote attackers to read arbitrary files 
via a .. (dot dot) sequence with combinations of (1) "/" (slash), (2) "\" (backslash), and (3) URL-encoded backslash (%5C) 
characters in the URL
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450
https://www.baeldung.com/spring-slash-character-in-url
3Create a method in the controller without using open API


    @RequestMapping(value = "/v1/ch/{cmHandle}/data/ds/ncmp-datastore:passthrough-running/**",
        produces = {"application/json"},
        consumes = {"application/json"},
        method = RequestMethod.PUT)
    public ResponseEntity<Object> getResourceDataPassthroughRunningForCmHandle(
        @PathVariable("cmHandle") String cmHandle, HttpServletRequest resourceIdentifier
        ,@RequestBody DataAccessReadRequest body,
        @RequestHeader(value = "accept", required = false) String accept
        ,@RequestParam(value = "fields", required = false) String fields
        , @Min(1) @Valid @RequestParam(value = "depth", required = false) Integer depth
    ) {
        final var modulesListAsJson = dmiService.getResourceDataPassThroughRunningForCmHandle(cmHandle,
            resourceIdentifier.toString(),
            accept,
            fields,
            depth,
            body.getCmHandleProperties());
        return ResponseEntity.ok(modulesListAsJson);
    }


Pros
We may need to use this approach for other methods.
Does not change the url
Cons
Does not use open API



                
        
    
        


                        
    





    

	

		
    
    
            
  • 
            No labels
        
    •