-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The socket
parameter is sent as-is to the UNIX domain socket opened via http.send
#5313
Comments
Thanks for the thorough writeup! And I think you're quite correct there, the
I'd check what others following the same convention do in this case... I bet this doesn't come out of nowhere, but I cannot recall the discussions from back then without git history dumpster diving. |
☝️ It's a good issue to work on, I think, because the code change should be minimal. What's more important, though, is figuring out, via some research, what the right thing to do is with multiple such query params. |
Removes the `socket` parameter from any http request targeting a UNIX domain socket. The socket path is handled by OPA to identify which socket to communicate with. It serves no purpose to send it to the socket itself. In some cases, the parameter may also be rejected by the listening program. All the `socket` parameter values are removed to prevent HTTP parameter pollution. The implementation may change the overall query parameters order. But there is no standard regarding that so it should be okay. Fixes open-policy-agent#5313 Signed-off-by: Tuan Le <webmaster@michivi.com>
#5355 is an attempt to tackle this issue and is working fine for our use case. It does the following:
I did not find why the original implementation used the |
Removes the `socket` parameter from any http request targeting a UNIX domain socket. The socket path is handled by OPA to identify which socket to communicate with. It serves no purpose to send it to the socket itself. In some cases, the parameter may also be rejected by the listening program. All the `socket` parameter values are removed to prevent HTTP parameter pollution. The implementation may change the overall query parameters order. But there is no standard regarding that so it should be okay. Fixes #5313 Signed-off-by: Tuan Le <webmaster@michivi.com>
Short description
It seems that a call to the built-in
http.send
function targeting a UNIX domain socket is also sending over thesocket
parameter used byhttp.send
to identify the path to the socket itself. While probably not a big issue in most use cases, our very own use case is failing as all sent parameters are validated by our listening program. Thesocket
parameter being an OPA parameter, our program doesn't recognize it and fails.Our environment:
Steps To Reproduce
To reproduce the error:
nc -l -U /tmp/test.sock
opa eval 'http.send({ "method": "GET", "url": "unix://localhost/hello?param1=value1&socket=%2ftmp%2ftest.sock" })'
GET /hello?param1=value1&socket=%2ftmp%2ftest.sock HTTP/1.1
. It contains both the voluntary parameters and thesocket
parameter targeted athttp.send
Expected behavior
One might expect that the original query is untouched (parameters order included), except for the
socket
parameter which would be removed. So in our case:GET /hello?param1=value1 HTTP/1.1
.Though I guess we should also consider what would happen if there's multiple
socket
parameters. We don't have that use cases, so any chosen behavior (so long as one of them is picked to determine the path to the UNIX domain socket deterministically and then removed) would do.Additional context
I'm guessing the related code is this:
opa/topdown/http.go
Lines 252 to 264 in fff3e0a
We can see that the
socket
parameter is used to determine the path to the UNIX domain socket, but it is not removed. The only change in the URL is the change of the scheme.The text was updated successfully, but these errors were encountered: