-
Notifications
You must be signed in to change notification settings - Fork 13
Superfluous HTTP header validation #23
Comments
@guidovranken, I'll explain my current thinking on how things got to the way they are.
Thinking about your suggestion a bit, I agree with your main point that the code architecture can probably be improved, possibly by leveraging
I'm trying to get a release out today, and I won't be able to fix this issue in time, but I'll try to get it for the next one. |
I looked through this and don't think it is a problem. In views.py service_router() the code is configuring the parser and handler class to be used; it uses the 'x-taxii-content-type' header to determine the parser & XML validator. In validate_headers() the code is ensuring that the incoming headers and message are well formed, understandable, and that the chosen handler object really can handle the message. Again, 'x-taxii-content-type' is used, but it is used for different reasons (it is confirming that the chosen handler can handle the message). In process_exception() the code is determining what sort of error response to send back to the client. So it checks a couple of the incoming headers again to make that decision. So while it looks like there's a bunch of redundancy, there really isn't. A case could be made that there is redundancy in the 'x-taxii-content-type' checking, since service_router() ensures it is good, and validate_headers() does again. But that makes the assumption that validate_headers() will only ever be called after service_router(), keeping the redundancy keeps the functions decoupled and they both do what they need to do for completeness. I touched up the comments in my local version to make it clearer what is going on. We'll decide whether that is worth pushing up to the repo. |
This isn't a bug but an architectural issue. Various HTTP headers supplied by the client are verified multiple times at various places in the code:
base_taxii_handlers.py -> class MessageHandler -> validate_headers():
middleware.py -> class StatusMessageExceptionMiddleware -> process_exception():
views.py
I think it's probably better to reorganize this so that an invalid request is intercept at the view layer, triggers a StatusMessageException, after which the StatusMessageExceptionMiddleware class deals with determining and constructing an appropriate response. Move the checks in base_taxii_handlers.py to views.py service_router(), since that is the function through which all relevant incoming traffic flows (as far as I know).
Guido
The text was updated successfully, but these errors were encountered: