Skip to content

Please update Endpoints sample to use case sensitive routing #333

New issue
New issue
Closed
Closed
Please update Endpoints sample to use case sensitive routing#333
Labels
🚨This issue needs some love.triage meI really want to be triaged.
@sepehre

Description

@sepehre
sepehre
opened on Apr 4, 2017

Nodejs Express defaults to case insensitive routing apparently:
http://stackoverflow.com/a/21216582

This could be problematic when combined with the Endpoints x-google-allow=all feature and auth enforced by ESP. ESP correctly does case sensitive path matching and if x-google-allow=all is set, it would let unmatched requests go to the backend.

If the Nodejs Express backend does its path matching in a case insensitive manner, an attacker can easily bypass ESP's auth checks by using "/eCHo" instead of "/echo"

Does that make sense?

Metadata

Assignees

No one assigned

    Labels

    🚨This issue needs some love.triage meI really want to be triaged.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions