-
-
Notifications
You must be signed in to change notification settings - Fork 38
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(netlify): verification for edge middleware #152
Conversation
🦋 Changeset detectedLatest commit: 4ac43a5 The changes in this PR will be included in the next version bump. This PR includes changesets to release 2 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
!preview edge-middleware-verification |
Snapshots have been released for the following packages:
Publish Log
Build Log
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a risky change, and it's not obvious to me what attack vector this protects against. Could you outline that, either here or via email if you feel like it's too sensitive?
This is motivated by the clerk vulnerability. |
Got it, thanks! That looks like a spooky vuln definitely o.O My understanding of the PR is that you want to ensure that the SSR function can only be reached via the Middleware, if there's a middleware configured. I don't think that attack vector exists currently, because the middleware is configured to run on all requests (except for the requests to Image CDN and static assets): adapters/packages/netlify/src/index.ts Line 148 in 7a5c3b0
So there's no way of circumventing the Middleware function. We're already ensuring this works as expected inside of the CDN, I don't think we need another check in the adapter on top of that. Am I missing something here? |
Yeah, looks like Netlify gives us a guard rail, which is great. It would be even better to have a safety net on top of it. |
Your call! If the behaviour is the same across all adapters, then it's fine I guess. |
@Skn0tt I have added you to a private thread in the #netlify channel of the astro discord. You might want to take that into account as well. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pretty sure the changeset is good, but let's have docs take a look ;)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changeset looks great!! 💪
Changes
edgeMiddleware
is enabled, only the edge middleware can call the internal serverless function.Testing
Manual
Docs