You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@nifi.apache.org by "Kevin Doran (JIRA)" <ji...@apache.org> on 2019/04/19 17:31:00 UTC

[jira] [Created] (NIFI-6227) Get Access Policy for Action-Resource endpoint does not accept encoded '/' characters in the path param for resource

Kevin Doran created NIFI-6227:
---------------------------------

             Summary: Get Access Policy for Action-Resource endpoint does not accept encoded '/' characters in the path param for resource
                 Key: NIFI-6227
                 URL: https://issues.apache.org/jira/browse/NIFI-6227
             Project: Apache NiFi
          Issue Type: Improvement
            Reporter: Kevin Doran


The REST API has the following endpoint:

{noformat}
GET /policies/{action}/{resource}
{noformat}

The resource path parameter can contain forward slash characters. When using URI Templates, client HTTP frameworks, or swagger codegen clients, by default will url encode forward slashes '/' in path parameters (ie, %2F). However, the server rejects encoded slash characters for path parameters with the following error message:

{noformat}
ValueError: The request was rejected because the URL contained a potentially malicious String "%25"
{noformat}

This is due to the Spring Security {{StrictHttpFirewall}} which is enabled by default. 

One possible solution would be providing our own {{HttpFirewall}} bean that subclasses {{StrictHttpFirewall}} to allow encoded slashes if the HTTP method is GET and the URL path starts with /policies/read/* or /policies/write/*. Then, in the controller code for this endpoint, we could decode the resource parameter safely.

Note: The code for this endpoint is in [AccessPolicyResource|https://github.com/apache/nifi/blob/cd2c3fd4e6fb9863c116d01bf8d274b80867622f/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessPolicyResource.java#L131].

Another possible solution would be adding an alternate endpoint that uses query parameters instead of path parameters.

This is currently a low priority ticket, because most HTTP client frameworks offer an option to not encode slashes in path parameters, even if the default behavior is to encode slashes in path parameters. RFC 6570 refers to this behavior as "Path Segment Expansion" to differentiate it from Path Parameter substitution. 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)