Skip to content

[ISSUE #3794] websocket datasync can chose allow origin to avoid CSRF #3795

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
yu199195 merged 11 commits into from
Aug 4, 2022
Merged

[ISSUE #3794] websocket datasync can chose allow origin to avoid CSRF #3795

yu199195 merged 11 commits into from
Aug 4, 2022

Conversation

@847850277
Copy link
Contributor

@847850277 847850277 commented Aug 3, 2022

Dear Community:
I have finished #3794
please review code.

Make sure that:

  • You have read the contribution guidelines.
  • You submit test cases (unit or integration tests) that back your changes.
  • Your local test passed ./mvnw clean install -Dmaven.javadoc.skip=true.

@yu199195
Copy link
Member

yu199195 commented Aug 3, 2022

hi,pls check ci

@codecov-commenter
Copy link

codecov-commenter commented Aug 3, 2022
edited
Loading

Codecov Report

Merging #3795 (66cf33e) into master (ff3ba3b) will decrease coverage by 0.08%.
The diff coverage is 33.33%.

@@             Coverage Diff              @@
##             master    #3795      +/-   ##
============================================
- Coverage     64.20%   64.12%   -0.09%     
- Complexity     6033     6037       +4     
============================================
  Files           898      898              
  Lines         24649    24679      +30     
  Branches       2232     2238       +6     
============================================
- Hits          15827    15826       -1     
- Misses         7428     7457      +29     
- Partials       1394     1396       +2
Impacted Files Coverage Δ
...min/config/properties/WebsocketSyncProperties.java 54.54% <0.00%> (-20.46%) ⬇️
.../sync/data/websocket/WebsocketSyncDataService.java 0.00% <0.00%> (ø)
...dmin/listener/websocket/WebsocketConfigurator.java 36.36% <10.00%> (-21.97%) ⬇️
...c/data/websocket/client/ShenyuWebsocketClient.java 56.89% <71.42%> (-6.57%) ⬇️
...in/sync/data/websocket/config/WebsocketConfig.java 93.33% <80.00%> (-6.67%) ⬇️
...che/shenyu/sync/data/http/HttpSyncDataService.java 85.71% <0.00%> (-4.09%) ⬇️
...java/org/apache/shenyu/web/filter/CrossFilter.java 84.12% <0.00%> (-2.76%) ⬇️
.../org/apache/shenyu/common/config/ShenyuConfig.java 73.23% <0.00%> (-0.69%) ⬇️
...enyu/plugin/sofa/cache/ApplicationConfigCache.java 25.68% <0.00%> (+0.23%) ⬆️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

@yu199195
Copy link
Member

yu199195 commented Aug 4, 2022

@847850277 hi, Can you tell us exactly what allow origin does?

@847850277
Copy link
Contributor Author

847850277 commented Aug 4, 2022

@yu199195 to avoid CSRF, In the case of Internet environment if someone knows admin websocket url,he can connect to ShenYu admin.Then forge the attack.
of course , this config is an option , this just match allow origin , if you dont't want , you can chose old mode.

@yu199195 yu199195 merged commit 06b525b into apache:master Aug 4, 2022
@yu199195
Copy link
Member

yu199195 commented Aug 4, 2022

Thanks, it merged~

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yu199195 yu199195 yu199195 approved these changes

Assignees

No one assigned

Labels

client: websocket data-sync: websocket type: new feature

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@847850277 @yu199195 @codecov-commenter