Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Backport 2.x] fix: add validation on data.method when using transport.request #803

Merged
merged 1 commit into from
Jul 10, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
97 changes: 97 additions & 0 deletions server/services/CommonService.test.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,97 @@
import {
ILegacyCustomClusterClient,
OpenSearchDashboardsRequest,
OpenSearchDashboardsResponseFactory,
RequestHandlerContext,
} from "opensearch-dashboards/server";
import CommonService from "./CommonService";

const contextMock = {
core: {},
} as RequestHandlerContext;
const responseMock = ({
custom: jest.fn((args) => args),
} as unknown) as OpenSearchDashboardsResponseFactory;

const mockedClient = {
callAsCurrentUser: jest.fn(),
callAsInternalUser: jest.fn(),
close: jest.fn(),
asScoped: jest.fn(() => ({
callAsCurrentUser: jest.fn((...args) => args),
callAsInternalUser: jest.fn(),
})),
} as any;

describe("CommonService spec", () => {
it("http method should valid when calling transport.request", async () => {
const commonService = new CommonService(mockedClient);
const result = await commonService.apiCaller(
contextMock,
{
body: {
endpoint: "transport.request",
data: {
method: "invalid method",
},
},
} as OpenSearchDashboardsRequest,
responseMock
);
expect(result).toEqual({
statusCode: 200,
body: {
ok: false,
error: `Method must be one of, case insensitive ['HEAD', 'GET', 'POST', 'PUT', 'DELETE']. Received 'invalid method'.`,
},
});
});

it("should return error when no endpoint is provided", async () => {
const commonService = new CommonService(mockedClient);
const result = await commonService.apiCaller(
contextMock,
{
body: {
endpoint: "",
},
} as OpenSearchDashboardsRequest,
responseMock
);
expect(result).toEqual({
statusCode: 200,
body: {
ok: false,
error: `Expected non-empty string on endpoint`,
},
});
});

it("should patch path when data.path does not start with /", async () => {
const commonService = new CommonService(mockedClient);
const result = await commonService.apiCaller(
contextMock,
{
body: {
endpoint: "transport.request",
data: {
path: "",
},
},
} as OpenSearchDashboardsRequest,
responseMock
);
expect(result).toEqual({
statusCode: 200,
body: {
ok: true,
response: [
"transport.request",
{
path: "/",
},
],
},
});
});
});
34 changes: 33 additions & 1 deletion server/services/CommonService.ts
Original file line number Diff line number Diff line change
Expand Up @@ -14,11 +14,13 @@ import {
} from "../../../../src/core/server";
import { IAPICaller } from "../../models/interfaces";

const VALID_METHODS = ["HEAD", "GET", "POST", "PUT", "DELETE"];

export interface ICommonCaller {
<T>(arg: any): T;
}

export default class IndexService {
export default class CommonService {
osDriver: ILegacyCustomClusterClient;

constructor(osDriver: ILegacyCustomClusterClient) {
Expand All @@ -36,12 +38,42 @@ export default class IndexService {
try {
const { callAsCurrentUser: callWithRequest } = this.osDriver.asScoped(request);
const finalData = data;

/**
* The endpoint must not be an empty string, reference from proxy caller
*/
if (!endpoint) {
return response.custom({
statusCode: 200,
body: {
ok: false,
error: `Expected non-empty string on endpoint`,
},
});
}

/**
* Update path parameter to follow RFC/generic HTTP convention
*/
if (endpoint === "transport.request" && typeof finalData?.path === "string" && !/^\//.test(finalData?.path || "")) {
finalData.path = `/${finalData.path || ""}`;
}

/**
* Check valid method here
*/
if (endpoint === "transport.request" && data?.method) {
if (VALID_METHODS.indexOf(data.method.toUpperCase?.()) === -1) {
return response.custom({
statusCode: 200,
body: {
ok: false,
error: `Method must be one of, case insensitive ['HEAD', 'GET', 'POST', 'PUT', 'DELETE']. Received '${data.method}'.`,
},
});
}
}

const payload = useQuery ? JSON.parse(finalData || "{}") : finalData;
const commonCallerResponse = await callWithRequest(endpoint, payload || {});
return response.custom({
Expand Down