Skip to content

feat(raf-993): signing of open payments http payload. #3407

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 5 commits into
base: main
Choose a base branch
from
Draft

feat(raf-993): signing of open payments http payload. #3407

wants to merge 5 commits into from

Conversation

koekiebox
Copy link
Collaborator

Changes proposed in this pull request

Context

Checklist

  • Related issues linked using fixes #number
  • Tests added/updated
  • Make sure that all checks pass
  • Bruno collection updated (if necessary)
  • Documentation issue created with user-docs label (if necessary)
  • OpenAPI specs updated (if necessary)

@koekiebox koekiebox self-assigned this Apr 22, 2025
@github-actions github-actions bot added the type: tests Testing related label Apr 22, 2025
@netlify Netlify
Copy link

netlify bot commented Apr 22, 2025
edited
Loading

Deploy Preview for brilliant-pasca-3e80ec canceled.

Name Link
🔨 Latest commit 7d3c6e5
🔍 Latest deploy log https://app.netlify.com/projects/brilliant-pasca-3e80ec/deploys/68370a4d4e7bb80008b0c3c2

@github-actions GitHub Actions
Copy link

github-actions bot commented Apr 22, 2025
edited
Loading

🚀 Performance Test Results

Test Configuration:

  • VUs: 4
  • Duration: 1m0s

Test Metrics:

  • Requests/s: 41.18
  • Iterations/s: 13.75
  • Failed Requests: 0.00% (0 of 2476)
📜 Logs 

> performance@1.0.0 run-tests:testenv /home/runner/work/rafiki/rafiki/test/performance
> ./scripts/run-tests.sh -e test "-k" "-q" "--vus" "4" "--duration" "1m"

Cloud Nine GraphQL API is up: http://localhost:3101/graphql
Cloud Nine Wallet Address is up: http://localhost:3100/
Happy Life Bank Address is up: http://localhost:4100/
cloud-nine-wallet-test-backend already set
cloud-nine-wallet-test-auth already set
happy-life-bank-test-backend already set
happy-life-bank-test-auth already set
     data_received..................: 864 kB 14 kB/s
     data_sent......................: 1.7 MB 29 kB/s
     http_req_blocked...............: avg=7.23µs   min=2.17µs   med=5.39µs   max=1.69ms   p(90)=6.45µs   p(95)=6.84µs  
     http_req_connecting............: avg=339ns    min=0s       med=0s       max=333.65µs p(90)=0s       p(95)=0s      
     http_req_duration..............: avg=96.51ms  min=8.75ms   med=79.75ms  max=564.7ms  p(90)=172.61ms p(95)=197.41ms
       { expected_response:true }...: avg=96.51ms  min=8.75ms   med=79.75ms  max=564.7ms  p(90)=172.61ms p(95)=197.41ms
     http_req_failed................: 0.00%  ✓ 0         ✗ 2476
     http_req_receiving.............: avg=90.54µs  min=25.22µs  med=78.35µs  max=2.03ms   p(90)=113.27µs p(95)=142.68µs
     http_req_sending...............: avg=36.84µs  min=8.73µs   med=27.95µs  max=5.23ms   p(90)=38.32µs  p(95)=51.5µs  
     http_req_tls_handshaking.......: avg=0s       min=0s       med=0s       max=0s       p(90)=0s       p(95)=0s      
     http_req_waiting...............: avg=96.38ms  min=8.59ms   med=79.63ms  max=564.59ms p(90)=172.49ms p(95)=197.28ms
     http_reqs......................: 2476   41.175941/s
     iteration_duration.............: avg=290.53ms min=180.05ms med=277.31ms max=1.11s    p(90)=362.47ms p(95)=403.5ms 
     iterations.....................: 827    13.75303/s
     vus............................: 4      min=4       max=4 
     vus_max........................: 4      min=4       max=4

github-advanced-security[bot]
github-advanced-security bot found potential problems Apr 28, 2025
View reviewed changes
test/sign-server/src/app.ts Outdated
Comment on lines 84 to 116
app.post('/http-signature-verify', async function handler(ffReq, ffReply) {
const requestBody = JSON.parse(JSON.stringify(ffReq.body))
if (!validateBodyVerifySignature(requestBody as RequestBodySignatureVerify)) {
return {
statusCode: '400',
body: 'Insufficient data in request body'
}
}
const { method, url, headers, body } = requestBody

if (!headers['signature'] || !headers['signature-input']) {
return {
statusCode: '400',
body: '[signature-input] and/or [signature] headers are missing'
}
}

if (!validateSignatureHeaders({
method,
url,
headers,
body
})) {
return {
statusCode: '401',
body: 'Signature verification failed'
}
}

ffReply.code(200).send({
signatureVerified: true
})
})

Check failure

Code scanning / CodeQL

Missing rate limiting High test

This route handler performs
authorization
Loading
, but is not rate-limited.
github-advanced-security[bot]
github-advanced-security bot found potential problems May 28, 2025
View reviewed changes
test/sign-server/src/app.ts
Comment on lines +197 to +199
const interactResponse = await fetch(startInteractionUrl, {
redirect: 'manual' // dont follow redirects
})

Check failure

Code scanning / CodeQL

Server-side request forgery Critical test

The
URL
Loading
of this request depends on a
user-provided value
Loading
.

Copilot Autofix

AI 4 months ago

To fix the issue, we need to ensure that the startInteractionUrl is validated before being used in the fetch call. The best approach is to implement an allow-list mechanism for acceptable domains or URLs. This ensures that only predefined, trusted URLs can be used, effectively mitigating the SSRF vulnerability.

Steps to fix:

  1. Introduce an allow-list of trusted domains or URLs.
  2. Validate the startInteractionUrl against this allow-list before using it in the fetch call.
  3. Reject requests with invalid or untrusted URLs, returning an appropriate error response.
Suggested changeset 1
test/sign-server/src/app.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/test/sign-server/src/app.ts b/test/sign-server/src/app.ts
--- a/test/sign-server/src/app.ts
+++ b/test/sign-server/src/app.ts
@@ -195,2 +195,12 @@
 
+    // Validate startInteractionUrl
+    const allowedDomains = ['https://trusted-domain.com', 'https://another-trusted-domain.com'];
+    const isValidUrl = allowedDomains.some(domain => startInteractionUrl.startsWith(domain));
+    if (!isValidUrl) {
+      return {
+        statusCode: '400',
+        body: `Invalid startInteractionUrl: '${startInteractionUrl}'`
+      }
+    }
+
     // Start interaction
EOF
@@ -195,2 +195,12 @@

// Validate startInteractionUrl
const allowedDomains = ['https://trusted-domain.com', 'https://another-trusted-domain.com'];
const isValidUrl = allowedDomains.some(domain => startInteractionUrl.startsWith(domain));
if (!isValidUrl) {
return {
statusCode: '400',
body: `Invalid startInteractionUrl: '${startInteractionUrl}'`
}
}

// Start interaction
Copilot is powered by AI and may make mistakes. Always verify output.
test/sign-server/src/app.ts
Comment on lines +214 to +220
const acceptResponse = await fetch(acceptUrl, {
method: 'POST',
headers: {
'x-idp-secret': idpSecret,
cookie
}
})

Check failure

Code scanning / CodeQL

Server-side request forgery Critical test

The
URL
Loading
of this request depends on a
user-provided value
Loading
.

Copilot Autofix

AI 4 months ago

To fix the SSRF vulnerability, we need to ensure that the interactionServer value is validated before it is used to construct the acceptUrl. The best approach is to implement an allow-list of permitted hostnames or base URLs for interactionServer. This ensures that only predefined, trusted values can be used in the outgoing request.

Steps to fix:

  1. Define an allow-list of trusted base URLs for interactionServer.
  2. Validate the interactionServer value against this allow-list before constructing the acceptUrl.
  3. Reject requests with invalid or untrusted interactionServer values.

Changes needed:

  • Add a validation function to check interactionServer against the allow-list.
  • Modify the /consent-interaction handler to validate interactionServer before constructing the URL.
Suggested changeset 1
test/sign-server/src/app.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/test/sign-server/src/app.ts b/test/sign-server/src/app.ts
--- a/test/sign-server/src/app.ts
+++ b/test/sign-server/src/app.ts
@@ -195,2 +195,11 @@
 
+    // Validate interactionServer
+    const allowedServers = ['https://trusted-server1.com', 'https://trusted-server2.com'];
+    if (!allowedServers.includes(interactionServer)) {
+      return {
+        statusCode: '400',
+        body: `Invalid interactionServer: '${interactionServer}'`
+      }
+    }
+
     // Start interaction
EOF
@@ -195,2 +195,11 @@

// Validate interactionServer
const allowedServers = ['https://trusted-server1.com', 'https://trusted-server2.com'];
if (!allowedServers.includes(interactionServer)) {
return {
statusCode: '400',
body: `Invalid interactionServer: '${interactionServer}'`
}
}

// Start interaction
Copilot is powered by AI and may make mistakes. Always verify output.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@koekiebox koekiebox

Labels
type: tests Testing related
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@koekiebox