search

gravity-ui / rfc

Gravity RFC is a process for proposing and implementing changes in our ecosystem
MIT License
3 stars 0 forks source link

Check responseType in gateway #6

Closed SeqviriouM closed 3 months ago

SeqviriouM commented 4 months ago

Objective

The type of the returned response is not being validated in @gravity-ui/gateway now. In the case of path traversal vulnerability, you can try to force gateway to send a request to load content with unexpected response type. For example, get html content instead of json.

Solution Proposal

There is an idea to add a expectedResponseContentType setting in the @gravity-ui/gateway. This setting will appear at the gateway config level (GatewayConfig) and at the action config level (ApiServiceRestActionConfig). If the expectedResponseContentType setting is set at the gateway config level, gateway will check the type of the returned response type and compare it with the specified value in expectedResponseContentType setting. In case of a mismatch, the error INVALID_RESPONSE_CONTENT_TYPE will be returned. Also it will be possible to override this value by setting the expectedResponseContentType setting at the action config level (only for rest-actions)

Definition of done

Added the setting responseType in the @gravity-ui/gateway

SeqviriouM commented 4 months ago

@resure @bezany what do you think?

SeqviriouM commented 3 months ago

The option expectedResponseContentType appeared in version @gravity-ui/gateway@2.2.0