Skip to content

feat(ocm): Strengthen OCM client security #5389

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
MahdiBaghbani wants to merge 14 commits into
base: master
Choose a base branch
from
Draft

feat(ocm): Strengthen OCM client security #5389

MahdiBaghbani wants to merge 14 commits into from
+437 −45

Conversation

@MahdiBaghbani
Copy link
Member

@MahdiBaghbani MahdiBaghbani commented Nov 1, 2025

This PR is a part of cs3org/OCM-STA#1
This PR depends on the #5385 to be merged first.

Description

This PR introduces security measures to the OCM client to prevent common attack vectors such as SSRF, DNS rebinding, and resource exhaustion attacks. The implementation provides configurable security controls while maintaining backward compatibility with existing code.

@MahdiBaghbani
Copy link
Member Author

MahdiBaghbani commented Nov 1, 2025
edited
Loading

This could be extended to:

reva/internal/grpc/services/ocminvitemanager/ocminvitemanager.go

Line 115 in 0438b84

ocmClient: ocmd.NewClient(time.Duration(c.OCMClientTimeout)*time.Second, c.OCMClientInsecure),

reva/internal/grpc/services/ocmshareprovider/ocmshareprovider.go

Line 132 in 0438b84

ocmcl := ocmd.NewClient(time.Duration(c.ClientTimeout)*time.Second, c.ClientInsecure)

reva/internal/http/services/opencloudmesh/ocmd/shares.go

Line 334 in 0438b84

ocmClient := NewClient(time.Duration(10)*time.Second, true)

so everything can use same defaults or same config

@MahdiBaghbani MahdiBaghbani force-pushed the reva/feature-ocm-security branch from 01aabae to 3caf91d Compare November 1, 2025 19:01
@glpatcern glpatcern marked this pull request as draft November 5, 2025 12:36
@MahdiBaghbani MahdiBaghbani force-pushed the reva/feature-ocm-security branch from 3caf91d to 21dc03b Compare November 5, 2025 17:08
MahdiBaghbani and others added 14 commits November 10, 2025 10:09
@MahdiBaghbani
fix: conflicts
0877d9e 
Signed-off-by: Mahdi Baghbani <mahdi-baghbani@azadehafzar.io>
@MahdiBaghbani
add: explicit empty list
e5c34bf 
Signed-off-by: Mahdi Baghbani <mahdi-baghbani@azadehafzar.io>
@glpatcern @MahdiBaghbani
Unneeded
e2bf344
@glpatcern @MahdiBaghbani
Added capability
4ec5280
@MahdiBaghbani @butonic
add: @butonic recommendations
573143b 
Co-authored-by: Jörn Friedrich Dreyer <jfd@butonic.de>
Signed-off-by: Mahdi Baghbani <mahdi-baghbani@azadehafzar.io>
@MahdiBaghbani
fix: OCM client configurability
532622e 
Instead of creating a client each time a function is called, create client once

Signed-off-by: Mahdi Baghbani <mahdi-baghbani@azadehafzar.io>
@MahdiBaghbani
add: ocm spec appendix C compliance
1d5c050 
@glpatcern recommendations
moved types to spec.go
used directory urls instead of a file

Signed-off-by: Mahdi Baghbani <mahdi-baghbani@azadehafzar.io>
@MahdiBaghbani
fix: log levels, less warns, more debugs
66ecdad 
Signed-off-by: Mahdi Baghbani <mahdi-baghbani@azadehafzar.io>
@MahdiBaghbani
add: use standard libraries for url manipulation
3006b1a 
as per @glpatcern recommendations

Also return 404 if the remote EFSS doesn't provide an
inviteAcceptDialog

Signed-off-by: Mahdi Baghbani <mahdi-baghbani@azadehafzar.io>
@MahdiBaghbani
add: initial security measures for ocm client
ae3d4d9 
Signed-off-by: Mahdi Baghbani <mahdi-baghbani@azadehafzar.io>
@MahdiBaghbani
refactor: discover() method into a generic function
48c6035 
New function works for any OCM GET endpoint
and can be used by other functions.

Signed-off-by: Mahdi Baghbani <mahdi-baghbani@azadehafzar.io>
@MahdiBaghbani
add: load config from file and apply default
f7ea8fb 
Signed-off-by: Mahdi Baghbani <mahdi-baghbani@azadehafzar.io>
@MahdiBaghbani
add: changelog
8606d73 
Signed-off-by: Mahdi Baghbani <mahdi-baghbani@azadehafzar.io>
@MahdiBaghbani
fix: linter
c7a2579 
Signed-off-by: Mahdi Baghbani <mahdi-baghbani@azadehafzar.io>
@MahdiBaghbani MahdiBaghbani force-pushed the reva/feature-ocm-security branch from 21dc03b to c7a2579 Compare November 10, 2025 10:11
@MahdiBaghbani MahdiBaghbani mentioned this pull request Nov 11, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@glpatcern glpatcern Awaiting requested review from glpatcern glpatcern is a code owner

@diocas diocas Awaiting requested review from diocas diocas is a code owner

@jessegeens jessegeens Awaiting requested review from jessegeens jessegeens is a code owner

@rawe0 rawe0 Awaiting requested review from rawe0 rawe0 will be requested when the pull request is marked ready for review rawe0 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@MahdiBaghbani @glpatcern