Open Blasci opened 9 months ago
andyo-tyk
commented
9 months ago Hi @Blasci,
It sounds like you need to enable an Allow List to get the functionality you require.
By adding the allowed paths to the list, Tyk will automatically block all others.
Please give this a try and let me know if it works for you.
Thanks for trying Tyk!
Blasci
commented
9 months ago Hi @andyo-tyk
Oh sorry, i forgot to say it. I have already activated the Whitelist plugin.
This is why i open this issue.
Thanks for your answer !
andyo-tyk
commented
9 months ago Hi @Blasci,
Would you be able to share your API Definition, please, so that we can check if there's something wrong in the configuration?
Please remember to obfuscate any sensitive data before sharing!
Blasci
commented
8 months ago Hi @andyo-tyk
Yes ! Here my API Definition :
{
"api_definition": {
"CORS": {
"allow_credentials": false,
"allowed_headers": [],
"allowed_methods": [],
"allowed_origins": [],
"debug": false,
"enable": false,
"exposed_headers": [],
"max_age": 0,
"options_passthrough": false
},
"active": true,
"allowed_ips": [],
"api_id": "01234567890123456789012345678901",
"auth": {
"auth_header_name": "Authorization",
"cookie_name": "",
"param_name": "",
"signature": {
"algorithm": "",
"allowed_clock_skew": 0,
"error_code": 0,
"error_message": "",
"header": "",
"param_name": "",
"secret": "",
"use_param": false
},
"use_certificate": false,
"use_cookie": false,
"use_param": false,
"validate_signature": false
},
"auth_configs": {
"authToken": {
"auth_header_name": "Authorization",
"cookie_name": "",
"param_name": "",
"signature": {
"algorithm": "",
"allowed_clock_skew": 0,
"error_code": 0,
"error_message": "",
"header": "",
"param_name": "",
"secret": "",
"use_param": false
},
"use_certificate": false,
"use_cookie": false,
"use_param": false,
"validate_signature": false
},
"jwt": {
"auth_header_name": "Authorization",
"cookie_name": "",
"param_name": "",
"signature": {
"algorithm": "",
"allowed_clock_skew": 0,
"error_code": 0,
"error_message": "",
"header": "",
"param_name": "",
"secret": "",
"use_param": false
},
"use_certificate": false,
"use_cookie": false,
"use_param": false,
"validate_signature": false
}
},
"auth_provider": {
"meta": {},
"name": "",
"storage_engine": ""
},
"base_identity_provided_by": "",
"basic_auth": {
"body_password_regexp": "",
"body_user_regexp": "",
"cache_ttl": 0,
"disable_caching": false,
"extract_from_body": false
},
"blacklisted_ips": [],
"cache_options": {
"cache_all_safe_requests": false,
"cache_by_headers": [],
"cache_control_ttl_header": "",
"cache_response_codes": [],
"cache_timeout": 60,
"enable_cache": false,
"enable_upstream_cache_control": false
},
"certificates": [],
"client_certificates": [],
"config_data": {},
"custom_middleware": {
"auth_check": {
"name": "",
"path": "",
"raw_body_only": false,
"require_session": false
},
"driver": "",
"id_extractor": {
"extract_from": "",
"extract_with": "",
"extractor_config": {}
},
"post": [],
"post_key_auth": [],
"pre": [],
"response": []
},
"custom_middleware_bundle": "my-custom-bundle.zip",
"definition": {
"key": "x-api-version",
"location": "header",
"strip_path": false
},
"disable_quota": false,
"disable_rate_limit": false,
"do_not_track": false,
"domain": "",
"dont_set_quota_on_create": false,
"enable_batch_request_support": false,
"enable_context_vars": false,
"enable_coprocess_auth": false,
"enable_detailed_recording": false,
"enable_ip_blacklisting": false,
"enable_ip_whitelisting": false,
"enable_jwt": false,
"enable_proxy_protocol": false,
"enable_signature_checking": false,
"event_handlers": {
"events": {}
},
"expire_analytics_after": 0,
"global_rate_limit": {
"per": 0,
"rate": 0
},
"graphql": {
"enabled": false,
"engine": {
"data_sources": [],
"field_configs": []
},
"execution_mode": "",
"playground": {
"enabled": false,
"path": ""
},
"proxy": {
"auth_headers": {}
},
"schema": "",
"subgraph": {
"sdl": ""
},
"supergraph": {
"disable_query_batching": false,
"global_headers": {},
"merged_sdl": "",
"subgraphs": []
},
"type_field_configurations": [],
"version": ""
},
"hmac_allowed_algorithms": [],
"hmac_allowed_clock_skew": -1,
"id": "012345678901234567890123",
"internal": false,
"jwt_client_base_field": "",
"jwt_default_policies": [],
"jwt_expires_at_validation_skew": 0,
"jwt_identity_base_field": "",
"jwt_issued_at_validation_skew": 0,
"jwt_not_before_validation_skew": 0,
"jwt_policy_field_name": "",
"jwt_scope_claim_name": "",
"jwt_scope_to_policy_mapping": {},
"jwt_signing_method": "",
"jwt_skip_kid": false,
"jwt_source": "",
"listen_port": 0,
"name": "my-api",
"notifications": {
"oauth_on_keychange_url": "",
"shared_secret": ""
},
"oauth_meta": {
"allowed_access_types": [],
"allowed_authorize_types": [],
"auth_login_redirect": ""
},
"openid_options": {
"providers": [],
"segregate_by_client": false
},
"org_id": "012345678901234567890123",
"pinned_public_keys": {},
"protocol": "",
"proxy": {
"check_host_against_uptime_tests": false,
"disable_strip_slash": false,
"enable_load_balancing": false,
"listen_path": "/v1/my-api/",
"preserve_host_header": false,
"service_discovery": {
"cache_timeout": 0,
"data_path": "",
"endpoint_returns_list": false,
"parent_data_path": "",
"port_data_path": "",
"query_endpoint": "",
"target_path": "",
"use_discovery_service": false,
"use_nested_query": false,
"use_target_list": false
},
"strip_listen_path": true,
"target_list": [],
"target_url": "https://my-api.url",
"transport": {
"proxy_url": "",
"ssl_ciphers": [],
"ssl_force_common_name_check": false,
"ssl_insecure_skip_verify": false,
"ssl_max_version": 0,
"ssl_min_version": 0
}
},
"request_signing": {
"algorithm": "",
"certificate_id": "",
"header_list": [],
"is_enabled": false,
"key_id": "",
"secret": "",
"signature_header": ""
},
"response_processors": [],
"session_lifetime": 0,
"session_provider": {
"meta": {},
"name": "",
"storage_engine": ""
},
"slug": "my-api",
"strip_auth_data": false,
"tag_headers": [],
"tags": [],
"upstream_certificates": {},
"uptime_tests": {
"check_list": [],
"config": {
"expire_utime_after": 0,
"recheck_wait": 0,
"service_discovery": {
"cache_timeout": 60,
"data_path": "",
"endpoint_returns_list": false,
"parent_data_path": "",
"port_data_path": "",
"query_endpoint": "",
"target_path": "",
"use_discovery_service": false,
"use_nested_query": false,
"use_target_list": false
}
}
},
"use_basic_auth": false,
"use_go_plugin_auth": true,
"use_keyless": false,
"use_mutual_tls_auth": false,
"use_oauth2": false,
"use_openid": false,
"use_standard_auth": false,
"version_data": {
"default_version": "",
"not_versioned": true,
"versions": {
"Default": {
"expires": "",
"extended_paths": {
"white_list": [
{
"ignore_case": false,
"method_actions": {
"GET": {
"action": "no_action",
"code": 200,
"data": "",
"headers": {}
}
},
"path": "/endpoint/{id}"
},
{
"ignore_case": false,
"method_actions": {
"GET": {
"action": "no_action",
"code": 200,
"data": "",
"headers": {}
}
},
"path": "/endpoint/{id}/otherEndPoint"
}
]
},
"global_headers": {
"X-Forwarded-Prefix": "/v1/my-api"
},
"global_headers_remove": [],
"global_response_headers": {},
"global_response_headers_remove": [],
"global_size_limit": 0,
"ignore_endpoint_case": false,
"name": "Default",
"override_target": "",
"paths": {
"black_list": [],
"ignored": [],
"white_list": []
},
"use_extended_paths": true
}
}
}
},
"api_model": {},
"created_at": "2023-10-23T11:28:30+02:00",
"hook_references": [],
"is_site": false,
"sort_by": 0,
"user_group_owners": [],
"user_owners": []
}
Branch/Environment/Version
Describe the bug It's possible to access undeclared endpoint via Tyk when a general endpoint is declared.
Reproduction steps Steps to reproduce the behavior:
Actual behavior For example in our case, some devs create endpoints but they don't publish it in Tyk for security reasons but they are currently accessible.
Expected behavior It's possible to detect when it's "real" parameter with any "/" or something else like that ?