You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

CPS-679 - Getting issue details... STATUS

Description of the bug

Currently, NCMP does NOT support / slashes in the resource identifier as the OpenAPI definition would regard that as separate REST paths ie. a different rest endpoint

Slashes are currently not supported by open API for path params - https://github.com/OAI/OpenAPI-Specification/issues/892#issuecomment-281170254


Currently supported

/v1/ch/node1/data/ds/ncmp-datastore:passthrough-operational/turing-machine:turing-machine?fields=transition-function?depth=3
Wanted (currently not) supported


/v1/ch/node1/data/ds/ncmp-datastore:passthrough-operational/turing-machine:turing-machine/transition-function?depth=5



Solutions

DescriptionExamplePros & Cons
1Change resource Identifier from a path param to a query param in the openapi.yml
Sample of url
ncmp/passthorough:Operational?resourceIdentifer=turingmachine:turingmachine/xyz/abc&query={depth=6,fields=abc/x/y/c}

Sample of definiton in openapi.yaml
resourceIdentifierInPath:
  name: resourceIdentifier
  in: query
  description: Resource identifier to get/set the resource data
  required: true
  schema:
    type: string
Pros
we are still using open API

Cons
We are changing the URL 
2Keep it as path param also but we need to assume that all values after this slash belong to this resource only
/passthorough:Operational/{resource-identifier: .+}.

As it is single param and if you enter the value by URL encoding then you have to change spring HttpFirewall 
 final StrictHttpFirewall firewall = new StrictHttpFirewall();
        firewall.setAllowUrlEncodedSlash(true);
https://programmer.help/blogs/spring-security-has-its-own-firewall-you-don-t-know-how-secure-your-system-is.html






Pros
We can still use open API
Cons of this workaround 
This workaround is not advised as allows remote attackers to read arbitrary files 
via a .. (dot dot) sequence with combinations of (1) "/" (slash), (2) "\" (backslash), and (3) URL-encoded backslash (%5C) 
characters in the URL
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450
https://www.baeldung.com/spring-slash-character-in-url
3Create a method in the controller without using open API


    @RequestMapping(value = "/v1/ch/{cmHandle}/data/ds/ncmp-datastore:passthrough-running/**",
        produces = {"application/json"},
        consumes = {"application/json"},
        method = RequestMethod.PUT)
    public ResponseEntity<Object> getResourceDataPassthroughRunningForCmHandle(
        @PathVariable("cmHandle") String cmHandle, HttpServletRequest resourceIdentifier
        ,@RequestBody DataAccessReadRequest body,
        @RequestHeader(value = "accept", required = false) String accept
        ,@RequestParam(value = "fields", required = false) String fields
        , @Min(1) @Valid @RequestParam(value = "depth", required = false) Integer depth
    ) {
        final var modulesListAsJson = dmiService.getResourceDataPassThroughRunningForCmHandle(cmHandle,
            resourceIdentifier.toString(),
            accept,
            fields,
            depth,
            body.getCmHandleProperties());
        return ResponseEntity.ok(modulesListAsJson);
    }


Pros
We may need to use this approach for other methods.
Does not change the url
Cons
Does not use open API



                
        
    
        


                        
    





    

	

		
    
    
            
  • 
            No labels
        
    •