Skip to content

Commit

Permalink
Api/deny query strings (#193)
Browse files Browse the repository at this point in the history
* Deny http requests with unknown query strings
* Add /didcomm as didcomm proxy endpoint
* Bump version to 2.5.0

Signed-off-by: Patrik Stas <[email protected]>
  • Loading branch information
Patrik-Stas authored Nov 25, 2022
1 parent d7bb3de commit 5e3c669
Show file tree
Hide file tree
Showing 4 changed files with 43 additions and 6 deletions.
20 changes: 20 additions & 0 deletions vcxagency-client/test/e2e/shared/agency-flows.spec.js
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ const { vcxFlowCreateAgentConnection } = require('vcxagency-client/src')
const { vcxFlowFullOnboarding } = require('vcxagency-client/src')
const { indyGenerateWalletKey } = require('easy-indysdk')
const { indyOpenWallet } = require('easy-indysdk')
const axios = require('axios')

let aliceWalletName
let aliceWalletKey
Expand Down Expand Up @@ -160,3 +161,22 @@ describe('healthchecks', () => {
expect(success).toBe('true')
})
})

describe('query params', () => {
it('should return bad request if unknown query parameter is specified', async () => {
let err
try {
await axios.get(`${agencyUrl}/agency?foobar=123`)
} catch (error) {
err = error
}
expect(err).toBeDefined()
expect(err.response.status === 400)
})
})

describe('query params', () => {
it('should return bad request if known query parameter is specified', async () => {
await axios.get(`${agencyUrl}/agency?timeout=10`)
})
})
16 changes: 16 additions & 0 deletions vcxagency-node/src/api/middleware.js
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,22 @@ module.exports.asyncHandler = function asyncHandler (fn) {
}
}

module.exports.buildDenyQueryStringsMiddleware = function buildDenyQueryStringsMiddleware (allowedQueryKeys) {
const allowedQueryKeysSet = new Set(allowedQueryKeys)
return function denyQueryStrings (req, res, next) {
const queryKeys = Object.keys(req.query)
if (queryKeys.length > 0) {
if (queryKeys.length === 1 && allowedQueryKeysSet.has(queryKeys[0])) {
next()
} else {
return res.status(400).send()
}
} else {
next()
}
}
}

module.exports.logRequestsWithBody = function logRequestsWithBody (req, res, next) {
logger.info(`${req.method} ${req.originalUrl} Request body: ${JSON.stringify(req.body)}`)
next()
Expand Down
11 changes: 6 additions & 5 deletions vcxagency-node/src/execution/server.js
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ const apiProxy = require('../api/api-proxy')
const {
logRequestsWithBody,
setReqId,
finalExpressHandlers
finalExpressHandlers, buildDenyQueryStringsMiddleware
} = require('../api/middleware')

function createWebServer (expressApp, enableTls, tlsCertPath, tlsKeyPath, logger) {
Expand All @@ -51,6 +51,7 @@ function createWebServer (expressApp, enableTls, tlsCertPath, tlsKeyPath, logger
async function setupExpressApp (expressApp, application, appConfig) {
const { entityForwardAgent, serviceNewMessagesV1, serviceNewMessagesV2 } = application
logger.info('Setting up express endpoints and middleware.')
expressApp.use(buildDenyQueryStringsMiddleware(['timeout']))

if (appConfig.DANGEROUS_HTTP_DETAILS === true) {
logger.warn('** DANGEROUS, FULL HTTP REQUESTS WILL BE LOGGED **')
Expand All @@ -71,15 +72,15 @@ async function setupExpressApp (expressApp, application, appConfig) {

const maxRequestSizeKb = appConfig.SERVER_MAX_REQUEST_SIZE_KB
if (appConfig.PROXY_TARGET_URL) {
const proxyPrefix = '/api/proxy'
logger.info(`Requests to ${proxyPrefix} will be forwarded to ${appConfig.PROXY_TARGET_URL}`)
const proxyPrefixes = ['/api/proxy', '/didcomm']
logger.info(`Requests to ${proxyPrefixes} will be forwarded to ${appConfig.PROXY_TARGET_URL}`)
const routerProxy = express.Router()
routerProxy.use(bodyParser.raw({
inflate: false,
limit: `${maxRequestSizeKb}kb`
}))
expressApp.use(proxyPrefix, routerProxy)
apiProxy(routerProxy, proxyPrefix, appConfig.PROXY_TARGET_URL)
expressApp.use(proxyPrefixes, routerProxy)
apiProxy(routerProxy, proxyPrefixes, appConfig.PROXY_TARGET_URL)
}

logger.info('Setting up express Aries API.')
Expand Down
2 changes: 1 addition & 1 deletion version.json
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
{
"major": 2,
"minor": 4,
"minor": 5,
"patch": 0
}

0 comments on commit 5e3c669

Please sign in to comment.