stale[bot]
commented
1 year ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Open swicken-dotcms opened 1 year ago
stale[bot]
commented
1 year ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
erickgonzalez
commented
1 year ago Reproduced in demo
mbiuki
commented
2 months ago @swicken-dotcms Could this be covered by adding a dotCMS ruleset?
swicken-dotcms
commented
2 months ago @swicken-dotcms Could this be covered by adding a dotCMS ruleset?
No, @mbiuki. This configuration needs to be set per API route and is controlled by us. It should not be an expectation on the end user. Each route should respond with a header specifying the verbs it accepts as part of the standard REST protocol.
mbiuki
commented
1 month ago I'd suggest we work out the responses alongside with adding verbs to our swagger file. Not sure if there is a tool to automatically generate one from the other. https://demo.dotcms.com/api/openapi.json
I think it would start from the above - to identify and add accepted HTTP methods for each endpoint in our swagger file.
mbiuki
commented
1 month ago This could potentially be covered by WAF to disallow prohibited verbs or back-end if it does not accept a particular verb, back-end would just not support it. 405 most likely.
mbiuki
commented
1 month ago @nollymar - please review and possibly assign it to the intern to take it forward with respect to creating respective verbs for each query, thanks.
mbiuki
commented
1 month ago Scout team to discuss internally, tnx.
mbiuki
commented
1 week ago @nollymar - can you please give us an update. I believe this would have been taken forward with newly hired intern?
Is your feature request related to a problem? Please describe.
Currently every request to an API generates the following response header
access-control-allow-methods: GET,PUT,POST,DELETE,HEAD,OPTIONS,PATCHWhile there is currently no known exploit in dotCMS related to this, security best practices dictate that we should only respond with the HTTP Verbs we accept on any given endpoint.Related Ticket: https://dotcms.zendesk.com/agent/tickets/108479
Describe the solution you'd like
For all of our inbuilt APIs, these headers should be generated based on the HTTP Verbs that are accepted in the resource.
For the scripting API, we should scan the directory for each path to determine the HTTP Verbs that are accepted.