Check detectors and relative paths before proto from X-Terraform-Get #370
Conversation
When checking for an unexpected protocol switch via X-Terraform-Get, we first must run the configured detectors and check for a relative request path, since X-Terraform-Get is not required to return a valid URL.
jbardin
force-pushed
the
jbardin/protocol-check
branch
from
5d29c21 to
28c40be
Compare
nywilken
left a comment
nywilken
left a comment
There was a problem hiding this comment.
The changes look good to me. I have a couple of questions on the handling of sub directory and relative path requests. I'm approving in advance in case my questions are just due to my gaps of knowledge around go-getter.
But feel free to ping me again for another review if the questions result in a change.
get_http.go
Outdated
| var opts []ClientOption | ||
| if subDir != "" { | ||
| // We have a subdir, time to jump some hoops | ||
| return g.getSubdir(ctx, dst, source, subDir) |
There was a problem hiding this comment.
I was a little confused about the call to getSubdir the first time I read this code. Is the source being used here the value returned from the X-Terraform-Get header?
If so, would we not want to run the protocol switch check before returning? Or will this be handled in the final call to Get that is made in the getSubdir function?
There was a problem hiding this comment.
That's a good question. While the PR looks big because I dropped a level of indentation by returning early, I left the overall logic the same. I think you may be right that a subdir would bypass the the protocol checks since it goes on to call Get just like below -- I'll follow up with a refactor of getSubdir so we can pass in the same options
There was a problem hiding this comment.
The new proto checks were bypassed by the addition of a subdirectory component to the url. I refactored this a bit to move the getSubdir call after the checks, and pass in the same options we would use for Get.
| } | ||
|
|
||
| protocol := "" | ||
| // X-Terraform-Get allows paths relative to the previous request too, |
There was a problem hiding this comment.
For my knowledge in the case of a relative path request how does go-getter know the url used in the previous request? I don't see it being passed into the next Get request.
There was a problem hiding this comment.
I don't think relative paths actually work in this mode, but I added the check for completeness, and so that we can return any intended error later, rather than a more confusing no getter available message.
Use the same protocol switching checks when there's a subdir, passing the limited set of getters if there is wrapping client.
| // If there's a subdirectory, we will also need a file getter to | ||
| // unpack it. | ||
| opts = append(opts, WithGetters(map[string]Getter{ | ||
| "file": new(FileGetter), |
There was a problem hiding this comment.
@picatz pinging for visibility as the need changes the mental model a little.
There was a problem hiding this comment.
Thank you for the ping!
The intent for this original check was to totally prevent the HttpGetter from allowing cross-protocol switching unless the getter was already supported by a Client. I understand the reasoning for the FileGetter with a subdirectory component, but I hate this is allowed at all. It has the potential to be dangerous, and generally not desirable from a security standpoint.
Thankfully, I don't think it would cause problems for Nomad, who explicitly disable the FileGetter because it's dangerous in their context. They use a Client directly. But I could see this causing problems in other contexts. Likely outside of HashiCorp.
I would much rather this be a new option on the HttpGetter, rather than be implicitly allowed by default. Maybe something like:
httpGetter := &HttpGetter{
AllowFileGetterForSubDirectoryComponent: true,
}What do you think? Would that be an acceptable solution?
There was a problem hiding this comment.
To be clear, this is more limiting than the current release, since getSubdir was falling back to all the default getters. We can't really change this in version 1, since it's a breaking change. While X-Terraform-Get probably shouldn't have been so liberal in spec, the protocol does define any valid go-getter source string is a valid value, including subdirectories. I think the only valid way to avoid this is to disable X-Terraform-Get, which we have an option for already.
There was a problem hiding this comment.
To be clear getSubdir was falling back to all default getters when using the HttpGetter directly?
Aside from that clarification: I think I agreed with you, that disabling X-Terraform-Get would generally be the "right" solution, as opposed to an additional option.
There was a problem hiding this comment.
4 participants
When checking for an unexpected protocol switch via X-Terraform-Get, we
first must run the configured detectors and check for a relative request
path, since X-Terraform-Get is not required to return a valid URL.
Fixes #368