Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Option to disable 'request-id' header #4192

Closed
2 tasks done
philippviereck opened this issue Aug 10, 2022 · 7 comments 路 Fixed by #4193 or philippviereck/fastify#1
Closed
2 tasks done

Option to disable 'request-id' header #4192

philippviereck opened this issue Aug 10, 2022 · 7 comments 路 Fixed by #4193 or philippviereck/fastify#1
Labels
feature request New feature to be added good first issue Good for newcomers

Comments

@philippviereck
Copy link
Contributor

Prerequisites

  • I have written a descriptive issue title
  • I have searched existing issues to ensure the feature has not already been requested

馃殌 Feature Proposal

Add a option to disable requestIdHeader overwriting genReqId

Motivation

As far as I understand, fastify will by default use the value of the requestIdHeader,if such a header is present in the request, over the genReqId value.

Now, one does not necessarily know that a server is a fastify server, and one can change (obfuscate) the header key, but essentially a malicious actor could pass the same request-id for all requests and therefore reduce the quality of the logs. If one is trying to investigate an incident multiple requests now share the same id.

This is of low impact I'd assume, still I think it would be nice to disable this behaviour in a proper way instead of relying on obfuscation.

Example

const fastify = require('fastify')({
  requestIdHeader: false // (disabled instead of default value)
})
@Eomm
Copy link
Member

Eomm commented Aug 10, 2022

It is already doable (not straight forward tbh)

const fastify = require('fastify')({
  logger: true,
  requestIdHeader: 'jdnsndfjegrnjsdnij',
  genReqId() {
    return undefined
  },
})
fastify.get('/', async (request, reply) => {
  return { hello: 'world' }
})

fastify.inject('/')

What I understood is that you don't want to log the reqId field

@philippviereck
Copy link
Contributor Author

@Eomm Thank you for the quick reply.
What I meant was to disable requestIdHeader overwriting genReqId(), so untrusted requests can not overwrite my reqId.

This is the internal code:
const id = req.headers[requestIdHeader] || genReqId(req)

The only way is to (like you did) change the requestIdHeader to a bogus value. Which is honestly secure enough. Just not very clean in my opinion.

@Eomm
Copy link
Member

Eomm commented Aug 10, 2022

Oh, I got it! The issue here is to choose the priority of the genId option over the header 馃憤馃徏

Yeah, I agree!

Would you like to submit a pr?

@Eomm Eomm added feature request New feature to be added good first issue Good for newcomers labels Aug 10, 2022
@mcollina
Copy link
Member

I think a better implementation is to move that || switch inside genReqId itself: https://github.com/fastify/fastify/blob/main/lib/reqIdGenFactory.js.

Would you like to send a PR?

@philippviereck
Copy link
Contributor Author

philippviereck commented Aug 10, 2022
edited

@mcollina Sorry, I don't think I understand how/what you mean.

Simply req.headers[requestIdHeader] || genReqId(req) inside genReqId(factory) would obviously get overwritten by any custom genRegId(setup), therefore removing the requestIdHeader functionality. So, I don't think you mean it this way.

@mcollina
Copy link
Member

Just move the check inside genReqId(req).

philippviereck added a commit to philippviereck/fastify that referenced this issue Aug 10, 2022
@philippviereck
add option to disable/ignore request-id header
3c2bb76 
fixes fastify#4192
@philippviereck
Copy link
Contributor Author

Okey, I have a PR, it's my first one ever. It does not use the reqIdGenFactory because I could not get it to work using the factory just yet. Sorry. Have a look at it maybe, it's to hackish...

Maybe in 2 weeks I have time to dig deeper...

@philippviereck philippviereck mentioned this issue Aug 10, 2022
Merged
4 tasks
Eomm pushed a commit that referenced this issue Aug 11, 2022
@philippviereck
feat: disable/ignore request-id header (#4193)
4e79725 
* add option to disable/ignore request-id header

fixes #4192

* add more restrictive schema definition

* update configValidator

generated by running 'node build/build-validation.js'
after change on 'build-validation.js'

* move logic into reqIdGenFactory

* update docs for requestHeaderId

Adding documentation for opt-out of 'requestHeaderId'
@philippviereck philippviereck mentioned this issue Aug 11, 2022
Merged
mcollina pushed a commit that referenced this issue Jul 12, 2023
@philippviereck @Uzlopak
Change request id header default value to false (#4194)
7381195 
* add option to disable/ignore request-id header

fixes #4192

* add more restrictive schema definition

* update configValidator

generated by running 'node build/build-validation.js'
after change on 'build-validation.js'

* move logic into reqIdGenFactory

* change default value from requestIdHeader

Changes default from 'request-id' to `false`.
Making it opt-in instead of opt-out.

NOTE: when user sets requestIdHeader to
`true` the behavior is the same as if it was set to `false`
because `req.headers[true] || genReqId(req)`
 is equivalent to `genReqId(req)` (req.headers[true] is undefined).
TL;DR requestIdHeader must be a string, else it will be 'ignored'.
Solution: Provide a default value for requestIdHeader when `true` or throw.

* remove comment

* adapt

---------

Co-authored-by: Uzlopak <aras.abbasi@googlemail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature request New feature to be added good first issue Good for newcomers
Projects
None yet
Milestone
No milestone
3 participants
@mcollina @Eomm @philippviereck