From 8cc0cfb7cf774fc4a29b0aa9f98cfc58292e67bc Mon Sep 17 00:00:00 2001 From: "Liangying.Wei" Date: Fri, 30 Jun 2023 00:40:07 +0800 Subject: [PATCH] =?UTF-8?q?Remove=20the=20abuse=20protection=20check=20sin?= =?UTF-8?q?ce=20the=20service=20always=20validates=20=E2=80=A6=20(#26333)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit …the request ### Packages impacted by this PR @azure/web-pubsub-express --- sdk/web-pubsub/web-pubsub-express/CHANGELOG.md | 10 +++------- .../web-pubsub-express/src/cloudEventsDispatcher.ts | 10 +++++----- .../web-pubsub-express/test/validate.spec.ts | 12 ++++++------ 3 files changed, 14 insertions(+), 18 deletions(-) diff --git a/sdk/web-pubsub/web-pubsub-express/CHANGELOG.md b/sdk/web-pubsub/web-pubsub-express/CHANGELOG.md index 65e97b5ebf42..a34d361a7fc9 100644 --- a/sdk/web-pubsub/web-pubsub-express/CHANGELOG.md +++ b/sdk/web-pubsub/web-pubsub-express/CHANGELOG.md @@ -1,15 +1,11 @@ # Release History -## 1.0.5 (Unreleased) - -### Features Added - -### Breaking Changes - -### Bugs Fixed +## 1.0.5 (2023-06-28) ### Other Changes +- Remove the abuse protection check since the service always validates the request + ## 1.0.4 (2023-04-03) ### Bugs Fixed diff --git a/sdk/web-pubsub/web-pubsub-express/src/cloudEventsDispatcher.ts b/sdk/web-pubsub/web-pubsub-express/src/cloudEventsDispatcher.ts index ea78b2b248d2..8b6661dd2ed7 100644 --- a/sdk/web-pubsub/web-pubsub-express/src/cloudEventsDispatcher.ts +++ b/sdk/web-pubsub/web-pubsub-express/src/cloudEventsDispatcher.ts @@ -207,16 +207,16 @@ export class CloudEventsDispatcher { if (!isWebPubSubRequest(req)) { return false; } - const origin = utils.getHttpHeader(req, "webhook-request-origin")?.toLowerCase(); + const origin = utils.getHttpHeader(req, "webhook-request-origin"); if (origin === undefined) { logger.warning("Expecting webhook-request-origin header."); res.statusCode = 400; - } else if (this._allowAll || this._allowedOrigins.indexOf(origin!) > -1) { - res.setHeader("WebHook-Allowed-Origin", origin!); + } else if (this._allowAll) { + res.setHeader("WebHook-Allowed-Origin", "*"); } else { - logger.warning("Origin does not match the allowed origins: " + this._allowedOrigins); - res.statusCode = 400; + // service to do the check + res.setHeader("WebHook-Allowed-Origin", this._allowedOrigins); } res.end(); diff --git a/sdk/web-pubsub/web-pubsub-express/test/validate.spec.ts b/sdk/web-pubsub/web-pubsub-express/test/validate.spec.ts index da2e66d43a70..716279f90b37 100644 --- a/sdk/web-pubsub/web-pubsub-express/test/validate.spec.ts +++ b/sdk/web-pubsub/web-pubsub-express/test/validate.spec.ts @@ -16,7 +16,7 @@ describe("Abuse protection works", function () { assert.isFalse(result); }); - it("When allow all endpoints the requested host should return", function () { + it("When allow all endpoints return *", function () { const req = new IncomingMessage(new Socket()); req.headers["ce-awpsversion"] = "1.0"; req.headers["webhook-request-origin"] = "a.com"; @@ -25,10 +25,10 @@ describe("Abuse protection works", function () { const result = dispatcher.handlePreflight(req, res); assert.isTrue(result); - assert.equal("a.com", res.getHeader("webhook-allowed-origin")); + assert.equal("*", res.getHeader("webhook-allowed-origin")); }); - it("Support valid url in allowed endpoints and only return the one in the request", function () { + it("Support valid url in allowed endpoints and return them", function () { const req = new IncomingMessage(new Socket()); req.headers["ce-awpsversion"] = "1.0"; req.headers["webhook-request-origin"] = "a.com"; @@ -39,10 +39,10 @@ describe("Abuse protection works", function () { const result = dispatcher.handlePreflight(req, res); assert.isTrue(result); - assert.equal("a.com", res.getHeader("webhook-allowed-origin")); + assert.sameMembers(["a.com", "b.com"], res.getHeader("webhook-allowed-origin") as string[]); }); - it("Not allowed endpoints should return 400", function () { + it("Not allowed endpoints should return 200 and we reply on service to do the validation", function () { const req = new IncomingMessage(new Socket()); req.headers["ce-awpsversion"] = "1.0"; req.headers["webhook-request-origin"] = "a.com"; @@ -53,6 +53,6 @@ describe("Abuse protection works", function () { const result = dispatcher.handlePreflight(req, res); assert.isTrue(result); - assert.equal(400, res.statusCode); + assert.sameMembers(["c.com", "b.com"], res.getHeader("webhook-allowed-origin") as string[]); }); });