Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Allow list fixing header injection in OkapiFeignClientExceptionHandler

Description

OkapiFeignClientExceptionHandler passes all headers from Okapi to the client, only headers that start with x-okapi are excluded:
https://github.com/folio-org/edge-fqm/blob/ada57ccb6f8a244cb86cacecc89630996b910d27/src/main/java/org/folio/fqm/edge/client/config/OkapiFeignClientExceptionHandler.java

This may pass sensitive headers, for example:
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
Content-Encoding: br
X-Okapi-Token: akjshdjkshad.asjdhjshdj.asjkldhsd

Passing Content-Encoding is wrong. There are two different HTTP connections that may use different encodings based on the capabilities of the two endpoints: client < - > edge-fwqm, and edge-fqm < - > okapi. It's possible that okapi uses br encoding that the client doesn't support so that edge-fqm receives in a different encoding than it sends in.

X-Okapi-Token is passed because only lower case x-okapi-token is filtered.

There is no complete list of sensitive headers. Therefore we cannot use a deny list.

FOLIO tries to mitigate header injection by only using allow lists instead: https://folio-org.atlassian.net/issues/?jql=summary%20~%20header%20and%20labels%20%3D%20security

Content-Type header should be passed. Can this be used as the single element allow list or are there any others that are needed?

CSP Request Details

None

CSP Rejection Details

None

Potential Workaround

None

Attachments

3

Checklist

hide

TestRail: Results

Activity

Show:

Emma_HaroyanOctober 17, 2023 at 10:56 AM

I was able to check using the same API request, seems is works already.

If I got the meaning of the ticket correctly, works as expected

Matt WeaverOctober 12, 2023 at 12:20 PM
Edited

, the edge module still isn't running in corsair-int, but this should be testable in folio-snapshot now (and maybe our rancher env, but I'm not sure. I don't think anyone's tried to use the edge module there yet). Honestly, I'd probably try and avoid corsair-int, since it's been so unstable

Matt WeaverOctober 5, 2023 at 6:38 PM

That looks like the correct URL to me, but it sounds like the edge module is still down in corsair-int. Bobby is working on fixing it now

Emma_HaroyanOctober 5, 2023 at 6:30 PM

is this API request correct? Maybe I use incorrect URL  https://ofrm-lb-edge-775310054.us-west-2.elb.amazonaws.com/query  method is POST

Matt WeaverOctober 5, 2023 at 5:50 PM

I believe we had some environment issues yesterday in the corsair integration environment, so we might need to test this one in another environment if the edge module is still down in corsair-int

Done

Details

Assignee

Reporter

Labels

Priority

Story Points

Sprint

Development Team

Corsair

Fix versions

Release

Poppy (R2 2023)

RCA Group

Implementation coding issue

Affected releases

Poppy (R2 2023)

TestRail: Cases

Open TestRail: Cases

TestRail: Runs

Open TestRail: Runs

Created September 21, 2023 at 6:43 PM
Updated October 17, 2023 at 12:47 PM
Resolved October 17, 2023 at 12:47 PM
TestRail: Cases
TestRail: Runs