We found this issue while doing the research The Fault in Our Stars, in which we explore how API Gateway Execute API Policy works under different conditions.
One researcher from our company opened the issue 1191 where he indicates another incorrectly behaviour by serverless-offline regarding the way it evaluates policies. It still lacks a response to this date.
The text was updated successfully, but these errors were encountered:
@dherault We reserved the CVE-2021-38384 with Mitre to this vulnerability, but we also would like to submit it via Github, and also make a pull request to help solve this issue
Bug Report
Current Behavior
When using a Custom Authorizer, the behaviour of serverless-offline differs from the deployed stack on AWS.
Sample Code
This is where we define the function event trigger. As it's clear to see, we expect a HTTP POST on
/{stage}/dashboard/Our custom authorizer generatePolicy method looks like this.
We're basically generating the following policy to someone with the role "USER":
Expected behavior/code
When testing locally using serverless-offline, fetching the endpoint http://localhost:3000/dev/dashboard/, the response is 403 Forbidden as the screenshot shows.
But when we deploy the stack to AWS, fetching the endpoint https://RANDOM.execute-api.us-east-1.amazonaws.com/dev/dashboard/, the result is 200 ok as its seen here.
Environment
serverlessversion: v2.53.0serverless-offlineversion: v8.0.0node.jsversion: v12.21.0OS: Linux Mint 19.1 TessaAdditional context/Screenshots
We found this issue while doing the research The Fault in Our Stars, in which we explore how API Gateway Execute API Policy works under different conditions.
One researcher from our company opened the issue 1191 where he indicates another incorrectly behaviour by serverless-offline regarding the way it evaluates policies. It still lacks a response to this date.
The text was updated successfully, but these errors were encountered: