Skip to content

Commit 103d58d

Browse files
DonMartin76DonMartin76
committed
Backport changes to auth server API output (remove potentially unsafe output).
Verify that auth server exists before returning information. Verify API exists before returning Swagger JSON.
1 parent 1efadea commit 103d58d

3 files changed

Lines changed: 88 additions & 35 deletions

File tree

src/api/routes/authServers.js

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -76,6 +76,24 @@ authServers.getAuthServer = function (app, res, loggedInUserId, serverId) {
7676
} else {
7777
authServer.data.config = {};
7878
}
79+
80+
// The above was the API configuration of the auth server itself,
81+
// now we also want to remove the configuration of the auth methods.
82+
if (authServer.data.authMethods && Array.isArray(authServer.data.authMethods)) {
83+
for (let i = 0; i < authServer.data.authMethods.length; ++i) {
84+
const authMethod = authServer.data.authMethods[i];
85+
if (authMethod.config) {
86+
authMethod.config = {
87+
authorizeEndpoint: authMethod.config.authorizeEndpoint,
88+
tokenEndpoint: authMethod.config.tokenEndpoint,
89+
profileEndpoint: authMethod.config.profileEndpoint,
90+
};
91+
}
92+
}
93+
} else {
94+
// Let's default to something really not containing anything at all.
95+
authServer.data.authMethods = [];
96+
}
7997
} else {
8098
debug(`getAuthServer(${serverId}), logged in User is ADMIN, returning all data`);
8199
}

src/api/routes/utils.js

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -342,6 +342,16 @@ utils.loadAuthServer = function (serverId) {
342342
debug(`loadAuthServer(${serverId})`);
343343

344344
if (!_authServers[serverId]) {
345+
const authServerNames = utils.loadAuthServerNames();
346+
if (authServerNames.indexOf(serverId) < 0) {
347+
debug('Unknown auth-server: ' + serverId);
348+
_authServers[serverId] = {
349+
name: serverId,
350+
exists: false
351+
};
352+
return _authServers[serverId];
353+
}
354+
345355
const staticDir = utils.getStaticDir();
346356
const authServerFileName = path.join(staticDir, 'auth-servers', serverId + '.json');
347357

src/ui/routes/apis.js

Lines changed: 60 additions & 35 deletions
Original file line numberDiff line numberDiff line change
@@ -351,48 +351,73 @@ const corsOptionsDelegate = function (req, callback) {
351351
callback(null, corsOptions);
352352
};
353353

354+
let apiList = null;
355+
const getApiList = function (callback) {
356+
debug('getApiList()');
357+
if (apiList)
358+
return callback(null, apiList);
359+
debug('Retrieving API list via wicked SDK.');
360+
wicked.getApis((err, apis) => {
361+
if (err)
362+
return callback(err);
363+
apiList = apis;
364+
callback(null, apiList);
365+
});
366+
};
367+
354368
router.get('/:api/swagger', cors(corsOptionsDelegate), function (req, res, next) {
355369
debug("get('/:api/swagger')");
356-
const apiId = req.params.api;
370+
// Make sure we are asking for an existing API
371+
getApiList((err, apis) => {
372+
const apiId = req.params.api;
357373

358-
const apiCallback = function (err, swaggerJson) {
359-
if (err)
374+
// Does it exist?
375+
if (!apis.apis.find(api => api.id === apiId)) {
376+
// No, it does not. Return a 404.
377+
const err = new Error(`API ${apiId} not found`);
378+
err.status = 404;
360379
return next(err);
361-
// Pipe it
362-
return res.json(swaggerJson);
363-
};
364-
365-
// Let's call the API, it has all the data we need.
366-
const swaggerUri = '/apis/' + apiId + '/swagger';
380+
}
367381

368-
// Do we have a forUser query parameter?
369-
let forUser = req.query.forUser;
370-
if (!/^[a-z0-9]+$/.test(forUser)) {
371-
debug("get('/:api/swagger') - invalid forUser used: " + forUser);
372-
forUser = null;
373-
}
374-
if (forUser) {
375-
utils.getAsUser(req, swaggerUri, forUser, apiCallback);
376-
} else {
377-
utils.get(req, swaggerUri, function (err, apiResponse, apiBody) {
382+
const apiCallback = function (err, swaggerJson) {
378383
if (err)
379384
return next(err);
380-
if (apiResponse.statusCode !== 200) {
381-
const err = new Error(`Could not retrieve Swagger JSON, unexpected status code ${apiResponse.statusCode}`);
382-
err.status = apiResponse.statusCode;
383-
return next(err);
384-
}
385-
try {
386-
const swaggerJson = utils.getJson(apiBody);
387-
return apiCallback(null, swaggerJson);
388-
} catch (ex) {
389-
error(ex);
390-
const err = new Error(`Swagger: Could not parse JSON body, error: ${ex.message}`);
391-
err.status = 500;
392-
return next(err);
393-
}
394-
});
395-
}
385+
// Pipe it
386+
return res.json(swaggerJson);
387+
};
388+
389+
// Let's call the API, it has all the data we need.
390+
const swaggerUri = '/apis/' + apiId + '/swagger';
391+
392+
// Do we have a forUser query parameter?
393+
let forUser = req.query.forUser;
394+
if (!/^[a-z0-9]+$/.test(forUser)) {
395+
debug("get('/:api/swagger') - invalid forUser used: " + forUser);
396+
forUser = null;
397+
}
398+
if (forUser) {
399+
utils.getAsUser(req, swaggerUri, forUser, apiCallback);
400+
} else {
401+
utils.get(req, swaggerUri, function (err, apiResponse, apiBody) {
402+
if (err)
403+
return next(err);
404+
if (apiResponse.statusCode !== 200) {
405+
const err = new Error(`Could not retrieve Swagger JSON, unexpected status code ${apiResponse.statusCode}`);
406+
err.status = apiResponse.statusCode;
407+
return next(err);
408+
}
409+
try {
410+
const swaggerJson = utils.getJson(apiBody);
411+
return apiCallback(null, swaggerJson);
412+
} catch (ex) {
413+
error(ex);
414+
const err = new Error(`Swagger: Could not parse JSON body, error: ${ex.message}`);
415+
err.status = 500;
416+
return next(err);
417+
}
418+
});
419+
}
420+
});
396421
}); // /apis/:apiId/swagger
397422

398423
module.exports = router;

0 commit comments

Comments
 (0)