chore(bot): constrain HTTP Get for public folder #1225
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
henzhang-ms
reviewed
May 27, 2021
| @@ -79,7 +79,7 @@ server.post("/api/messages", async (req, res) => { | |||
| }); | |||
|
|
|||
| server.get( | |||
| "/*", | |||
| /auth-start\.html|auth-end\.html/, | |||
There was a problem hiding this comment.
In fact, I don't quite understand this problem. Since it is the public folder, why we limits the access. Don't we provide any js file on the website?
There was a problem hiding this comment.
I think the issue is that the error message contains the info outside of the public folder. So do we really fix it in this way?
There was a problem hiding this comment.
If we really only need to provide the two path on the website, I think it is ok.
There was a problem hiding this comment.
Thanks for the comments. To provide context, the public folder contains only two html files, as you can guess what they are, for the authentication flow. The former scope of the Get was too broader, that is all Get requests will be redirected into the public folder, but we only want to serve just two specific html files.
After the route is limited, any other request will get an HTTP 500 Code, no inner path will be exposed.
YitongFeng-git
approved these changes
May 28, 2021
1yefuwang1
pushed a commit
that referenced
this pull request
Jun 2, 2021
Co-authored-by: Ivan He <ruhe@microsoft.com>
1yefuwang1
added a commit
that referenced
this pull request
Jun 7, 2021
* test(solution): add test for provision * fix(solution): add ut for provision and clean up unused code * test(solution): add test for provision * fix(solution): add ut for provision * fix(vsc): update content in quick start (#1222) * fix(vsc): update content in quick start * fix(core): update subscription list ui * fix(vsc): don't show output when load project (#1226) * fix(vsc): don't show output when load project * fix(vsc): refine active event * feat: implement UI in CLI (#1223) * feat: implement UI in CLI * fix: convert id/cliName to label in UI * fix: one VSC bug * chore: use postinstall instead of prepare * chore: prepack instead of prepublishOnly Co-authored-by: Zhiyu You <zhiyou@microsoft.com> * feat: add action to publish vscode extension to market (#1133) * fix: update status when play video (#1229) * Feat/remove repeated code (#1221) * feat: remove login repeated code * feat: remove extension memory cache * fix: filter login log (#1211) * fix: filter login log * feat: fix pr comment * feat: remove login sync (#1209) * feat: remove login sync * fix: login test cases * fix: login test cases * feat: remove setStatusChange callback (#1206) * feat: remove setStatusChange callback * feat: add getStatus * fix: deploy not find the right parameters (#1230) Co-authored-by: Zhiyu You <zhiyou@microsoft.com> * test(simpleauth): wait for url to jump to authentication url with code (#1224) * test(simpleauth): wait for url to jump to authentication url with code * test(simpleauth): retriew the headless * test(simpleauth): fix code * test(simpleauth): fix ci error * test(simpleauth): fix ci error * feat(local-debug): imporve the timing to switch active terminal (#1228) * test(env-checker): add backend extension install nuget test cases (#1187) * chore(bot): add checkpoint between app studio call and azure call (#1220) Co-authored-by: Ivan He <ruhe@microsoft.com> * chore(bot): constrain HTTP Get for public folder (#1225) Co-authored-by: Ivan He <ruhe@microsoft.com> * fix: escape script dir for dotnet install (#1232) * fix: escape script dir for dotnet install * test(env-checker): add validation after installing .NET SDK for testing (#1233) * fix: fix telemetry data loss (#1234) * chore(doc): add instructions for deleting Free App Service Plan (#1231) Co-authored-by: Ivan He <ruhe@microsoft.com> * test(env-checker): add a test case for special characters in dotnet-install script path (#1235) * test(env-checker): add a test case for special characters in dotnet-install script path * style: format code * chore: fix comments * fix: update e2e test to expose error message (#1239) * fix(vsc): undefined stack in tooling log (#1240) * fix(vsc): refine user error output * fix(vsc): undefine stack log in vsc * fix: vscodeignore (#1243) * fix: vscodeignore * refine * fix: stdout/stderr TTY (#1241) * fix: stdout/stderr TTY * fix: debug log * fix: use logprovider instead of console in the login part * fix: npm run watch not copy the index.html * fix: use white instead of yellow when show login info * fix: remove `await` in the front of logprovider Co-authored-by: Zhiyu You <zhiyou@microsoft.com> * fix(sdk): security issue in "ws" and upgrade to 7.4.6 (#1245) * fix(sdk): security issue in "ws" and upgrade to 7.4.6 * chore(sdk): add puppeteer * fix: update telemetry for app studio plugin (#1244) * fix: add telemetry success message * chore: add appid for telemetry data * chore(bot): add desc for bot configs (#1249) * chore(bot): add desc for bot configs * chore(bot): add more details for skuName * chore: config doc * chore(bot): add bot config into central config.md Co-authored-by: Ivan He <ruhe@microsoft.com> Co-authored-by: huajiezhang <huajiezhang@microsoft.com> * Update the CLI NPM link (#1248) * test(env-checker): fix skip condition for existing .NET SDK test case (#1254) * feat: cli login url (#1256) * feat: cli login url * fix: pr comment * fix(apim): increase retry time interval (#1252) * chore(doc): config file document (#1257) * chore(doc): config file document * fix: remove out of date configs for frontend hosting * chore: word * chore: doc * chore: doc * Update config.md * fix: add local debug configs Co-authored-by: zhijie <zhihuan@microsoft.com> Co-authored-by: Kuojian Lu <kuojianlu@gmail.com> * fix(bot-template): click "Show profile" in bot app didn't response sometimes (#1255) * fix(bot-template): click "Show profile" in bot app didn't response sometimes * fix: add comment and simplify if condition * fix: also update bot-msgext Co-authored-by: turenlong <rentu@microsoft.com> * feat: add telemetry impl for envchecker in func (#1258) * chore(env-checker): add os info telemetry properties (#1259) * fix: preset answers will ignore undefined answers (#1260) Co-authored-by: Zhiyu You <zhiyou@microsoft.com> * fix: apim need undefined of some questions (#1264) Co-authored-by: Zhiyu You <zhiyou@microsoft.com> * fix(local-debug): set skipNgrok, trustDevCert to default value if undefined (#1263) * fix(solution): add ut for provision azure project * test(solution): happy path for azure projects * test(solution): fix overlooked conflict Co-authored-by: Zihong <zihch@outlook.com> Co-authored-by: Alive-Fish <15262146+Alive-Fish@users.noreply.github.com> Co-authored-by: Zhiyu You <zhiyou@microsoft.com> Co-authored-by: Long Hao <71317774+LongOddCode@users.noreply.github.com> Co-authored-by: Ning Liu <71362691+nliu-ms@users.noreply.github.com> Co-authored-by: Tian Yuan <tianyuan@microsoft.com> Co-authored-by: wenyt <75360946+wenytang-ms@users.noreply.github.com> Co-authored-by: qinezh <qinezh@users.noreply.github.com> Co-authored-by: Alex Wang <a1exwang@users.noreply.github.com> Co-authored-by: Ivan Jobs <ivan1377@163.com> Co-authored-by: Ivan He <ruhe@microsoft.com> Co-authored-by: Meifans Zhao <pengfeizhao@microsoft.com> Co-authored-by: chagong <chagon@microsoft.com> Co-authored-by: Huajie Zhang <zhjay23@qq.com> Co-authored-by: Ning Tang <nintan@microsoft.com> Co-authored-by: huajiezhang <huajiezhang@microsoft.com> Co-authored-by: Junjie Li <jj.muyang@gmail.com> Co-authored-by: Xiaofu Huang <xiaofhua@microsoft.com> Co-authored-by: zhijie <zhihuan@microsoft.com> Co-authored-by: Kuojian Lu <kuojianlu@gmail.com> Co-authored-by: rentu <5545529+SLdragon@users.noreply.github.com> Co-authored-by: turenlong <rentu@microsoft.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
to fix bug: https://dev.azure.com/msazure/Microsoft%20Teams%20Extensibility/_workitems/edit/9902831