You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2021/05/16 08:38:10 UTC

[GitHub] [apisix-dashboard] gxthrj commented on a change in pull request #1894: fix: restrict host and path of debugging URL

gxthrj commented on a change in pull request #1894:
URL: https://github.com/apache/apisix-dashboard/pull/1894#discussion_r633061960



##########
File path: api/conf/conf.yaml
##########
@@ -59,6 +59,9 @@ conf:
                          # log example: 2020-12-09T16:38:09.039+0800	INFO	filter/logging.go:46	/apisix/admin/routes/r1	{"status": 401, "host": "127.0.0.1:9000", "query": "asdfsafd=adf&a=a", "requestId": "3d50ecb8-758c-46d1-af5b-cd9d1c820156", "latency": 0, "remoteIP": "127.0.0.1", "method": "PUT", "errs": []}
   max_cpu: 0             # supports tweaking with the number of OS threads are going to be used for parallelism. Default value: 0 [will use max number of available cpu cores considering hyperthreading (if any)]. If the value is negative, is will not touch the existing parallelism profile.
 
+  gateways:              # host list of APISIX gateway, currently only used as a list of debuggable hosts

Review comment:
       ```suggestion
     debug_gateways:              # host list of APISIX gateway, currently only used as a list of debuggable hosts
   ```

##########
File path: api/internal/handler/route_online_debug/route_online_debug.go
##########
@@ -92,12 +108,60 @@ func (h *Handler) DebugRequestForwarding(c droplet.Context) (interface{}, error)
 type HTTPProtocolSupport struct {
 }
 
+func checkHost(host string) error {
+	if len(conf.Gateways) < 1 {
+		return errors.New("host list of APISIX gateways not configured")
+	}
+	for _, gatewayHost := range conf.Gateways {
+		if host == gatewayHost {
+			return nil
+		}
+	}
+
+	return errors.New("doesn't match any host of APISIX gateways")
+}
+
+func checkPath(path string) error {
+	if strings.HasPrefix(path, "/apisix/") {
+		return errors.New("the path is forbidden for debugging")

Review comment:
       ```suggestion
   		return fmt.Errorf(("The path %s is forbidden for debugging", path)
   ```

##########
File path: api/internal/handler/route_online_debug/route_online_debug.go
##########
@@ -92,12 +108,60 @@ func (h *Handler) DebugRequestForwarding(c droplet.Context) (interface{}, error)
 type HTTPProtocolSupport struct {
 }
 
+func checkHost(host string) error {
+	if len(conf.Gateways) < 1 {
+		return errors.New("host list of APISIX gateways not configured")
+	}
+	for _, gatewayHost := range conf.Gateways {
+		if host == gatewayHost {
+			return nil
+		}
+	}
+
+	return errors.New("doesn't match any host of APISIX gateways")
+}
+
+func checkPath(path string) error {
+	if strings.HasPrefix(path, "/apisix/") {
+		return errors.New("the path is forbidden for debugging")
+	}
+	return nil
+}
+
+func checkMethod(method string) error {
+	if exists := allowMethods[strings.ToUpper(method)]; !exists {
+		return errors.New("the method is not allowed for debugging")

Review comment:
       ```suggestion
   		return fmt.Errorf("The method %s is not allowed for debugging", method)
   ```




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org