mirrors/nomulus
1
0
Fork 0
mirror of https://github.com/google/nomulus synced 2026-02-11 15:21:28 +00:00
Code Issues Releases Wiki Activity

Make BiqueryPollJobAction endpoint internal only (#955)

Browse Source 
* Make BiqueryPollJobAction endpoint internal only

This endpoint makes use of java object deserialization, which allows a
malicious actor to craft a request that can initiate overly broad actions on
the server.  Since this endpoint is not widely used for operational purposes,
limit its authorization to "internal only" so that no user agents (even with
admin privs) can access it.
This commit is contained in:
Michael Muller
2021-02-05 07:50:51 -05:00
committed by GitHub
parent 5100057dd5
commit 29bf0f3965
4 changed files with 60 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
core/src/test/java/google/registry/request/RequestHandlerTest.java
View File

@@ -18,6 +18,7 @@ import static com.google.common.truth.Truth.assertThat;
import static com.google.common.truth.Truth8.assertThat;
import static google.registry.request.Action.Method.GET;
import static google.registry.request.Action.Method.POST;
import static google.registry.request.auth.Auth.AUTH_INTERNAL_ONLY;
import static google.registry.request.auth.Auth.AUTH_INTERNAL_OR_ADMIN;
import static google.registry.request.auth.Auth.AUTH_PUBLIC;
import static org.mockito.ArgumentMatchers.any;
@@ -140,6 +141,17 @@ public final class RequestHandlerTest {
}
}
@Action(
service = Action.Service.DEFAULT,
path = "/auth/internal",
auth = AUTH_INTERNAL_ONLY,
method = GET)
public class AuthInternalAction extends AuthBase {
AuthInternalAction(AuthResult authResult) {
super(authResult);
}
}
public class Component {
private RequestModule requestModule = null;
@@ -179,6 +191,10 @@ public final class RequestHandlerTest {
public AuthAdminUserAction authAdminUserAction() {
return new AuthAdminUserAction(component.getRequestModule().provideAuthResult());
}
public AuthInternalAction authInternalAction() {
return new AuthInternalAction(component.getRequestModule().provideAuthResult());
}
}
/** Fake Builder for the fake component above to satisfy RequestHandler expectations. */
@@ -462,4 +478,32 @@ public final class RequestHandlerTest {
assertThat(providedAuthResult.userAuthInfo().get().oauthTokenInfo()).isEmpty();
assertMetric("/auth/adminUser", GET, AuthLevel.USER, true);
}
@Test
void testInternalAuthNeeded_failure() throws Exception {
when(req.getMethod()).thenReturn("GET");
when(req.getRequestURI()).thenReturn("/auth/internal");
when(requestAuthenticator.authorize(AUTH_INTERNAL_ONLY.authSettings(), req))
.thenReturn(Optional.empty());
handler.handleRequest(req, rsp);
verify(rsp).sendError(403, "Not authorized");
assertThat(providedAuthResult).isNull();
}
@Test
void testInternalAuthNeeded_success() throws Exception {
when(req.getMethod()).thenReturn("GET");
when(req.getRequestURI()).thenReturn("/auth/internal");
when(requestAuthenticator.authorize(AUTH_INTERNAL_ONLY.authSettings(), req))
.thenReturn(Optional.of(AuthResult.create(AuthLevel.APP)));
handler.handleRequest(req, rsp);
assertThat(providedAuthResult).isNotNull();
assertThat(providedAuthResult.authLevel()).isEqualTo(AuthLevel.APP);
assertThat(providedAuthResult.userAuthInfo()).isEmpty();
assertMetric("/auth/internal", GET, AuthLevel.APP, true);
}
}

2
core/src/test/resources/google/registry/module/backend/backend_routing.txt
View File

@@ -24,7 +24,7 @@ PATH CLASS METHOD
/_dr/task/icannReportingUpload IcannReportingUploadAction POST n INTERNAL,API APP ADMIN
/_dr/task/nordnUpload NordnUploadAction POST y INTERNAL,API APP ADMIN
/_dr/task/nordnVerify NordnVerifyAction POST y INTERNAL,API APP ADMIN
/_dr/task/pollBigqueryJob BigqueryPollJobAction GET,POST y INTERNAL,API APP ADMIN
/_dr/task/pollBigqueryJob BigqueryPollJobAction GET,POST y INTERNAL APP IGNORED
/_dr/task/publishDnsUpdates PublishDnsUpdatesAction POST y INTERNAL,API APP ADMIN
/_dr/task/publishInvoices PublishInvoicesAction POST n INTERNAL,API APP ADMIN
/_dr/task/publishSpec11 PublishSpec11ReportAction POST n INTERNAL,API APP ADMIN