The type of the returned response is not being validated in @gravity-ui/gateway now. In the case of path traversal vulnerability, you can try to force gateway to send a request to load content with unexpected response type. For example, get html content instead of json.
Solution Proposal
There is an idea to add a expectedResponseContentType setting in the @gravity-ui/gateway. This setting will appear at the gateway config level (GatewayConfig) and at the action config level (ApiServiceRestActionConfig). If the expectedResponseContentType setting is set at the gateway config level, gateway will check the type of the returned response type and compare it with the specified value in expectedResponseContentType setting. In case of a mismatch, the error INVALID_RESPONSE_CONTENT_TYPE will be returned. Also it will be possible to override this value by setting the expectedResponseContentType setting at the action config level (only for rest-actions)
Definition of done
Added the setting responseType in the @gravity-ui/gateway
Objective
The type of the returned response is not being validated in
@gravity-ui/gateway
now. In the case of path traversal vulnerability, you can try to force gateway to send a request to load content with unexpected response type. For example, get html content instead of json.Solution Proposal
There is an idea to add a
expectedResponseContentType
setting in the@gravity-ui/gateway
. This setting will appear at the gateway config level (GatewayConfig
) and at the action config level (ApiServiceRestActionConfig
). If theexpectedResponseContentType
setting is set at the gateway config level, gateway will check the type of the returned response type and compare it with the specified value inexpectedResponseContentType
setting. In case of a mismatch, the errorINVALID_RESPONSE_CONTENT_TYPE
will be returned. Also it will be possible to override this value by setting theexpectedResponseContentType
setting at the action config level (only for rest-actions)Definition of done
Added the setting
responseType
in the@gravity-ui/gateway