Study a solution to sanitize URL parameters in API

NASA-PDS / registry-api

Web API service for the PDS Registry, providing the implementation of the PDS Search API (https://github.com/nasa-pds/pds-api) for the PDS Registry.

https://nasa-pds.github.io/pds-api

Apache License 2.0

3 stars 5 forks source link

Study a solution to sanitize URL parameters in API #219

Open tloubrieu-jpl opened 1 year ago

tloubrieu-jpl commented 1 year ago

💡 Description

There might be a library or methodology to reject any suspicious parameters from the API. That might be part of spring boot (we can dream).

al-niessner commented 1 year ago

@jordanpadams @tloubrieu-jpl

Does spring- process the URL prior to swaggerhub code getting a hold of it? If we can say spring- passes all URLs through and that swaggerhub handles errors then what sanitation needs to take place?

jordanpadams commented 1 year ago

@al-niessner I think this is related to some of the vulnerabilities identified here: https://github.com/NASA-PDS/registry-api/issues/121

jordanpadams commented 1 year ago

if any of those require us to sanitize URLs to ensure they do not allow anything vulnerabilities in the service

jordanpadams commented 1 year ago

Moving to icebox for now. Not vulnerabilities identified at this time and current API only allows read access directly to/from OpenSearch