Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Variables in headers : Avoid secrets in the payload #79

Closed
baubakg opened this issue Mar 14, 2024 · 0 comments · Fixed by #121
Closed

Variables in headers : Avoid secrets in the payload #79

baubakg opened this issue Mar 14, 2024 · 0 comments · Fixed by #121
Assignees
@baubakg
Labels
enhancement New feature or request
Milestone
2.11.16

Comments

@baubakg
Copy link
Member

baubakg commented Mar 14, 2024
edited
Loading

The json payload is quite dangerous regarding secrets. We need to find a way to avoid passing secrets dirctly in the payload.

We can send secrets in the headers. When received they are available to the calls as values.

We also forbid the showing of these variables by chance. I.e. if the result is equal to a header we do not show it.

Rules: Header should have the prefix "IBS-"

Example:

  1. We call http://localhost:8080/call
  2. We pass headers IBS-USERNAME, IBS-password
  3. Payload
{
    "callContent": {
        "LOIGIN": {
            "class": "<package name>.<class Name>",
            "method": "<method name>",
            "args": ["IBS-USERNAME","IBS-password"]
        }
    }
}

In the call above the callContent payload will not have the secrets directly in the payload. When dealig with the payload we directly fetch the secrets from the headers.

If the result contains the secrets, we will either:

  • Throw and exception/forbidden return value
  • Obfuscate the result

Exceptions:
ConfigException if the header variable is also the title of a callContent
ConfigException if the header variable is not present
@baubakg baubakg added the enhancement New feature or request label Mar 14, 2024
@baubakg baubakg added this to the 2.11.15 milestone Mar 14, 2024
@baubakg baubakg self-assigned this Mar 14, 2024
@baubakg baubakg modified the milestones: 2.11.15, 2.11.16 Mar 18, 2024
@baubakg baubakg changed the title Avoid secrets in the payload Variables in headers : Avoid secrets in the payload May 4, 2024
baubakg added a commit that referenced this issue May 4, 2024
@baubakg
#79 first working commit
bfd29a3
baubakg added a commit that referenced this issue May 4, 2024
@baubakg
Issue #79 Adding rules for errors when a secret has the same name as …
92662a4 
…a callContent
@baubakg baubakg mentioned this issue May 4, 2024
Merged
3 tasks
@baubakg baubakg linked a pull request May 4, 2024 that will close this issue
Issue 79 - Managing secrets and dealing with headers #121
Merged
3 tasks
baubakg added a commit that referenced this issue May 4, 2024
@baubakg
Fixed issue #79. We now have filters, and we allow for header checks
8f9abe3
baubakg added a commit that referenced this issue May 4, 2024
@baubakg
Fixed issue #79. Made a distinction between simple headers and secrets
5724be4
baubakg added a commit that referenced this issue May 4, 2024
@baubakg
#79 renamed properties. Updated docs
555d4cf
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@baubakg baubakg

Labels
enhancement New feature or request
Projects
None yet
Milestone
2.11.16
Development

Successfully merging a pull request may close this issue.

Issue 79 - Managing secrets and dealing with headers adobe/bridgeService
1 participant
@baubakg