From 492cfdfe3a4b4b827d09986776fb89487e08331b Mon Sep 17 00:00:00 2001 From: Jean-Louis Leysens Date: Tue, 25 Jul 2023 17:56:56 +0200 Subject: [PATCH] [HTTP] Only allow setting `server.restrictInternalApis` on serverless (#162475) --- .../__snapshots__/http_config.test.ts.snap | 1 - .../src/http_config.test.ts | 28 +++++++++++++++++++ .../src/http_config.ts | 12 ++++++-- 3 files changed, 38 insertions(+), 3 deletions(-) diff --git a/packages/core/http/core-http-server-internal/src/__snapshots__/http_config.test.ts.snap b/packages/core/http/core-http-server-internal/src/__snapshots__/http_config.test.ts.snap index 8df6dd5251c463..c838892038f2ab 100644 --- a/packages/core/http/core-http-server-internal/src/__snapshots__/http_config.test.ts.snap +++ b/packages/core/http/core-http-server-internal/src/__snapshots__/http_config.test.ts.snap @@ -77,7 +77,6 @@ Object { "allowFromAnyIp": false, "ipAllowlist": Array [], }, - "restrictInternalApis": false, "rewriteBasePath": false, "securityResponseHeaders": Object { "crossOriginOpenerPolicy": "same-origin", diff --git a/packages/core/http/core-http-server-internal/src/http_config.test.ts b/packages/core/http/core-http-server-internal/src/http_config.test.ts index c535bc64fbb003..28abe6513ced69 100644 --- a/packages/core/http/core-http-server-internal/src/http_config.test.ts +++ b/packages/core/http/core-http-server-internal/src/http_config.test.ts @@ -509,6 +509,27 @@ describe('versioned', () => { }); }); +describe('restrictInternalApis', () => { + it('is only allowed on serverless', () => { + expect(() => config.schema.validate({ restrictInternalApis: false }, {})).toThrow( + /a value wasn't expected/ + ); + expect(() => config.schema.validate({ restrictInternalApis: true }, {})).toThrow( + /a value wasn't expected/ + ); + expect( + config.schema.validate({ restrictInternalApis: true }, { serverless: true }) + ).toMatchObject({ + restrictInternalApis: true, + }); + }); + it('defaults to false', () => { + expect( + config.schema.validate({ restrictInternalApis: undefined }, { serverless: true }) + ).toMatchObject({ restrictInternalApis: false }); + }); +}); + describe('HttpConfig', () => { it('converts customResponseHeaders to strings or arrays of strings', () => { const httpSchema = config.schema; @@ -535,4 +556,11 @@ describe('HttpConfig', () => { nested: '{"foo":1,"bar":"dolly"}', }); }); + + it('defaults restrictInternalApis to false', () => { + const rawConfig = config.schema.validate({}, {}); + const rawCspConfig = cspConfig.schema.validate({}); + const httpConfig = new HttpConfig(rawConfig, rawCspConfig, ExternalUrlConfig.DEFAULT); + expect(httpConfig.restrictInternalApis).toBe(false); + }); }); diff --git a/packages/core/http/core-http-server-internal/src/http_config.ts b/packages/core/http/core-http-server-internal/src/http_config.ts index d0a3ced0d5fab2..4cb3d5df0ef010 100644 --- a/packages/core/http/core-http-server-internal/src/http_config.ts +++ b/packages/core/http/core-http-server-internal/src/http_config.ts @@ -167,7 +167,14 @@ const configSchema = schema.object( }, } ), - restrictInternalApis: schema.boolean({ defaultValue: false }), // allow access to internal routes by default to prevent breaking changes in current offerings + // allow access to internal routes by default to prevent breaking changes in current offerings + restrictInternalApis: schema.conditional( + schema.contextRef('serverless'), + true, + schema.boolean({ defaultValue: false }), + schema.never() + ), + versioned: schema.object({ /** * Which handler resolution algo to use: "newest" or "oldest". @@ -316,7 +323,8 @@ export class HttpConfig implements IHttpConfig { this.requestId = rawHttpConfig.requestId; this.shutdownTimeout = rawHttpConfig.shutdownTimeout; - this.restrictInternalApis = rawHttpConfig.restrictInternalApis; + // default to `false` to prevent breaking changes in current offerings + this.restrictInternalApis = rawHttpConfig.restrictInternalApis ?? false; this.eluMonitor = rawHttpConfig.eluMonitor; this.versioned = rawHttpConfig.versioned; }