Open shivakrishna-k opened 4 years ago
spencergibb
commented
4 years ago That is by design. Because of composite configurations and the client not even knowing that it might be served by git, config server returns an empty success. Config server should be protected by spring security and not open to arbitrary non-authenticated requests.
shivakrishna-k
commented
4 years ago Hi Spencer, Thanks for taking time to look in to this. The issue is even if the config server is protected (We need to provide credentials to our cyber security team if the service is protected for them to scan), the core issue will remain as it is. That is config server serving 200 response for non-existing repos. Because of this, they are able to get response for various strings they have appended URLs, they are raising the issues.
If it cannot be changed for wider audience, will you be able to point to us where we have to make changes to change this behavior.
Thanks, Shiva
We have a config server setup using git backend which is working fine. However config server is giving 200 response for any arbitrary url instead of 404 Not found. This is causing issues with our security team when they scan our application. For example when we query
configserver url/application/owa_util.listprint(any junk) here we are getting following resposne
{ "name" : "",
"profiles" : [ "owa_util.listprint" ],
"label" : null,
"version" : "55ebd770c77b8aab100bbb5fb92624f9e74de4b7",
"state" : null,
"propertySources" : [ ]
}
I have gone through the source code and searched in spring-configuration-metadata.json but could not find a property to disable it. Hence filing it as bug. Apologies in advance if it is not a bug and there is a property to disable it.