Return 405 when receiving POST request on the route path#16750
Return 405 when receiving POST request on the route path#16750
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #16750 +/- ##
==========================================
+ Coverage 65.86% 66.04% +0.17%
==========================================
Files 1139 1143 +4
Lines 100116 101063 +947
Branches 2463 2463
==========================================
+ Hits 65940 66743 +803
- Misses 29277 29367 +90
- Partials 4899 4953 +54
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
sharon-fdm
left a comment
sharon-fdm
left a comment
There was a problem hiding this comment.
This code and approach looks fine if we know that osqury will drop and will not retry to send it.
Approving tentatively, but if we are not sure let's chat about it.
If |
|
@lucasmrod the problem is we don't know how wide this phenomena is. But what if it's wide? In extreme cases we could cause some damage (I assume it's a bit over panic, but want to raise the question.) TMWYT |
What damage are you thinking? |
|
@lucasmrod my main concern is that those osquery agents will keep sending this msg repeatedly in a way that will inflate network activity. |
Sorry, I don't follow. |
lucasmrod
had a problem deploying
to
Docker Hub
GitHub Actions
Failure
|
We met with @sharon-fdm and agreed that we should add a warning on the release notes (in case this misconfiguration is a common issue). |
| WARNING: | ||
| We found that misconfigured (empty `logger_tls_endpoint`) osquery instances were sending log results (`POST` requests) to the root path and Fleet was incorrectly returning HTTP 200 responses on such root path. | ||
| This version will now return HTTP 405 (Method Not Allowed) when receiving `POST` requests on the root path so that this misconfiguration can be detected by administrators. | ||
| If you deploy this version of Fleet and there's log traffic on the root path it could cause increased network usage on your infrastructure because osquery will retry sending the logs and these will accumulate (up to a limit configured by logger flags). Thus, before upgrading, make sure there's no osquery traffic (`POST` requests) to Fleet's root path. |
There was a problem hiding this comment.
@ksatter let me know if this warning makes sense.
In #16750 we introduced logic to prevent POST requests to frontend endpoints. The redirect for SSO was using `http.StatusTemporaryRedirect` as the status code, which preserves the original request method (`POST` in this case). This changes the method to be `http.StatusSeeOther`, [per MDN][1]: > This response code is often sent back as a result of PUT or POST. The > method used to display this redirected page is always GET. [1]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/303
In #16750 we introduced logic to prevent POST requests to frontend endpoints. The redirect for SSO was using `http.StatusTemporaryRedirect` as the status code, which preserves the original request method (`POST` in this case). This changes the method to be `http.StatusSeeOther`, [per MDN][1]: > This response code is often sent back as a result of PUT or POST. The > method used to display this redirected page is always GET. [1]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/303 # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Added/updated tests - [x] Manual QA for all new/changed functionality
In #16750 we introduced logic to prevent POST requests to frontend endpoints. The redirect for SSO was using `http.StatusTemporaryRedirect` as the status code, which preserves the original request method (`POST` in this case). This changes the method to be `http.StatusSeeOther`, [per MDN][1]: > This response code is often sent back as a result of PUT or POST. The > method used to display this redirected page is always GET. [1]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/303 # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Added/updated tests - [x] Manual QA for all new/changed functionality
4 participants
#16182
changes/ororbit/changes/.See Changes files for more information.