Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Strip Matrix parameter from BasePath check #14383

Open
wants to merge 8 commits into
base: master
Choose a base branch
from
Open

Strip Matrix parameter from BasePath check #14383

wants to merge 8 commits into from
+40 −4

Conversation

praveenc7
Copy link
Contributor

Summary

Modify Parser to strip matrix parameter when checking for basePath

Testing

unit test added

@praveenc7 praveenc7 changed the title Strip Matrix parameter for BasePath check Strip Matrix parameter from BasePath check Nov 5, 2024
@codecov-commenter
Copy link

codecov-commenter commented Nov 5, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 50.00000% with 4 lines in your changes missing coverage. Please review.

Project coverage is 63.78%. Comparing base (59551e4) to head (e493941).
Report is 1292 commits behind head on master.

Files with missing lines Patch % Lines
...ache/pinot/broker/broker/AuthenticationFilter.java 0.00% 2 Missing ⚠️
...ot/controller/api/access/AuthenticationFilter.java 0.00% 0 Missing and 2 partials ⚠️
Additional details and impacted files 
@@             Coverage Diff              @@
##             master   #14383      +/-   ##
============================================
+ Coverage     61.75%   63.78%   +2.03%     
- Complexity      207     1555    +1348     
============================================
  Files          2436     2660     +224     
  Lines        133233   145967   +12734     
  Branches      20636    22350    +1714     
============================================
+ Hits          82274    93101   +10827     
- Misses        44911    45985    +1074     
- Partials       6048     6881     +833
Flag Coverage Δ
custom-integration1 100.00% <ø> (+99.99%) ⬆️
integration 100.00% <ø> (+99.99%) ⬆️
integration1 100.00% <ø> (+99.99%) ⬆️
integration2 0.00% <ø> (ø)
java-11 63.73% <50.00%> (+2.02%) ⬆️
java-21 63.67% <50.00%> (+2.04%) ⬆️
skip-bytebuffers-false 63.77% <50.00%> (+2.02%) ⬆️
skip-bytebuffers-true 63.62% <50.00%> (+35.89%) ⬆️
temurin 63.78% <50.00%> (+2.03%) ⬆️
unittests 63.77% <50.00%> (+2.03%) ⬆️
unittests1 55.49% <0.00%> (+8.60%) ⬆️
unittests2 34.15% <50.00%> (+6.41%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

Jackie-Jiang
Jackie-Jiang reviewed Nov 6, 2024
View reviewed changes
Copy link
Contributor

@Jackie-Jiang Jackie-Jiang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IIUC, the intention is to avoid bypassing the isBaseFile() check?
What is the purpose of isBaseFile()? I'd suggest making it very limited (e.g. only allow ".", or is it even required?)

@praveenc7
Copy link
Contributor Author

praveenc7 commented Nov 7, 2024
edited
Loading

IIUC, the intention is to avoid bypassing the isBaseFile() check? What is the purpose of isBaseFile()? I'd suggest making it very limited (e.g. only allow ".", or is it even required?)

@Jackie-Jiang I’m not aware of the historical reasons for why this check is necessary, This type of check is generally used to filter paths, likely to allow access only to certain files, such as configuration files or top-level resources, while excluding directories and complex paths.

For example : https://example.com/file.txt , https://example.com/image.png

The check we have already ensures we don't allow for directory access and just top-level resources like
file.backup.txt or another.file.backup.txt.

Do we want to allow for something like just file.txt and not file.backup.txt as well?

@Jackie-Jiang
Copy link
Contributor

@soumitra-st Can you help take a look? Which path do we need to allow bypassing the auth check?

I want to make this whitelist very restricted so that only the allowed path can bypass the auth check. This way we can avoid other possible attacks, instead of explicitly handling them one by one.

@soumitra-st
Copy link
Contributor

Modify Parser to strip matrix parameter when checking for basePath

@praveenc7 ,Pinot does not support MatrixParam. Can you elaborate on the context of handling MatrixParam for top-level resources only?

@soumitra-st
Copy link
Contributor

@soumitra-st Can you help take a look? Which path do we need to allow bypassing the auth check?

I want to make this whitelist very restricted so that only the allowed path can bypass the auth check. This way we can avoid other possible attacks, instead of explicitly handling them one by one.

The current whitelist paths are HERE:
new HashSet<>(Arrays.asList("", "help", "auth/info", "auth/verify", "health"));

In addition to the above whitelisted paths, all top files having at least one '.' are allowed. This is likely done to allow access to top-level resource files. If we need to remove implicit access to all the top-level resources, we must figure out the list and add it to the UNPROTECTED_PATHS.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Jackie-Jiang Jackie-Jiang Awaiting requested review from Jackie-Jiang

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@praveenc7 @codecov-commenter @Jackie-Jiang @soumitra-st