From 16c716493252519148f4d09c3f243e279556ce1c Mon Sep 17 00:00:00 2001 From: wangkx Date: Tue, 19 Sep 2023 14:13:38 -0400 Subject: [PATCH] HPCC-30080 Not access restricted resources for Unrestricted call A user may use several URL parameters (ex. wsdl) to retrieve Unrestricted resources (the xsd files, wsdl files, and sample files in Open sources). The code is added to block the access to other resources. Signed-off-by: wangkx --- esp/bindings/http/platform/httpbinding.cpp | 52 ++++++++++++++-------- esp/bindings/http/platform/httpbinding.hpp | 2 + esp/bindings/http/platform/httpservice.cpp | 7 +++ 3 files changed, 43 insertions(+), 18 deletions(-) diff --git a/esp/bindings/http/platform/httpbinding.cpp b/esp/bindings/http/platform/httpbinding.cpp index 15c184dcfd0..df0e31a5035 100644 --- a/esp/bindings/http/platform/httpbinding.cpp +++ b/esp/bindings/http/platform/httpbinding.cpp @@ -1136,6 +1136,40 @@ void EspHttpBinding::handleHttpPost(CHttpRequest *request, CHttpResponse *respon addToESPCache(cacheClient, request, response, cacheID.str(), cacheSeconds); } +int EspHttpBinding::onGetUnrestricted(CHttpRequest* request, CHttpResponse* response, + const char *serviceName, const char *methodName, sub_service sstype) +{ + IEspContext& context = *request->queryContext(); + LogLevel level = getEspLogLevel(&context); + if (level >= LogNormal) + DBGLOG("EspHttpBinding::onGetUnrestricted"); + + response->setVersion(HTTP_VERSION); + response->addHeader("Expires", "0"); + response->setStatus(HTTP_STATUS_OK); + + // adjust version if necessary + if (m_defaultSvcVersion.get() && !context.queryRequestParameters()->queryProp("ver_")) + context.setClientVersion(atof(m_defaultSvcVersion)); + + switch (sstype) + { + case sub_serv_xsd: + return onGetXsd(context, request, response, serviceName, methodName); + case sub_serv_wsdl: + return onGetWsdl(context, request, response, serviceName, methodName); + case sub_serv_reqsamplexml: + return onGetReqSampleXml(context, request, response, serviceName, methodName); + case sub_serv_respsamplexml: + return onGetRespSampleXml(context, request, response, serviceName, methodName); + case sub_serv_respsamplejson: + return onGetRespSampleJson(context, request, response, serviceName, methodName); + case sub_serv_reqsamplejson: + return onGetReqSampleJson(context, request, response, serviceName, methodName); + } + return 0; +} + int EspHttpBinding::onGet(CHttpRequest* request, CHttpResponse* response) { IEspContext& context = *request->queryContext(); @@ -1169,13 +1203,7 @@ int EspHttpBinding::onGet(CHttpRequest* request, CHttpResponse* response) case sub_serv_main: case sub_serv_index: case sub_serv_xform: - case sub_serv_xsd: - case sub_serv_wsdl: case sub_serv_soap_builder: - case sub_serv_reqsamplexml: - case sub_serv_respsamplexml: - case sub_serv_respsamplejson: - case sub_serv_reqsamplejson: context.setClientVersion(atof(m_defaultSvcVersion)); default: @@ -1211,24 +1239,12 @@ int EspHttpBinding::onGet(CHttpRequest* request, CHttpResponse* response) return onGetXForm(context, request, response, serviceName.str(), methodName.str()); case sub_serv_result: return onGetResult(context, request, response, serviceName.str(), methodName.str(), pathEx.str()); - case sub_serv_wsdl: - return onGetWsdl(context, request, response, serviceName.str(), methodName.str()); - case sub_serv_xsd: - return onGetXsd(context, request, response, serviceName.str(), methodName.str()); case sub_serv_instant_query: return onGetInstantQuery(context, request, response, serviceName.str(), methodName.str()); case sub_serv_soap_builder: return onGetSoapBuilder(context, request, response, serviceName.str(), methodName.str()); case sub_serv_json_builder: return onGetJsonBuilder(context, request, response, serviceName.str(), methodName.str()); - case sub_serv_reqsamplexml: - return onGetReqSampleXml(context, request, response, serviceName.str(), methodName.str()); - case sub_serv_respsamplexml: - return onGetRespSampleXml(context, request, response, serviceName.str(), methodName.str()); - case sub_serv_respsamplejson: - return onGetRespSampleJson(context, request, response, serviceName.str(), methodName.str()); - case sub_serv_reqsamplejson: - return onGetReqSampleJson(context, request, response, serviceName.str(), methodName.str()); case sub_serv_query: return onGetQuery(context, request, response, serviceName.str(), methodName.str()); case sub_serv_file_upload: diff --git a/esp/bindings/http/platform/httpbinding.hpp b/esp/bindings/http/platform/httpbinding.hpp index 93821268e5b..a52123bb0c8 100644 --- a/esp/bindings/http/platform/httpbinding.hpp +++ b/esp/bindings/http/platform/httpbinding.hpp @@ -92,6 +92,7 @@ interface IEspHttpBinding virtual int onGetSoapBuilder(IEspContext &context, CHttpRequest* request, CHttpResponse* response, const char *serv, const char *method)=0; virtual int onGetJsonBuilder(IEspContext &context, CHttpRequest* request, CHttpResponse* response, const char *serv, const char *method)=0; virtual int onGetReqSampleXml(IEspContext &context, CHttpRequest* request, CHttpResponse* response, const char *serv, const char *method)=0; + virtual int onGetUnrestricted(CHttpRequest* request, CHttpResponse* response, const char *serviceName, const char *methodName, sub_service sstype)=0; virtual int onGetRespSampleXml(IEspContext &context, CHttpRequest* request, CHttpResponse* response, const char *serv, const char *method)=0; virtual int onGetRespSampleJson(IEspContext &context, CHttpRequest* request, CHttpResponse* response, const char *serv, const char *method)=0; virtual int onGetReqSampleJson(IEspContext &context, CHttpRequest* request, CHttpResponse* response, const char *serv, const char *method)=0; @@ -325,6 +326,7 @@ class esp_http_decl EspHttpBinding : return onGet(request, response); } + virtual int onGetUnrestricted(CHttpRequest* request, CHttpResponse* response, const char *serviceName, const char *methodName, sub_service sstype); virtual int onGetReqSampleXml(IEspContext &context, CHttpRequest* request, CHttpResponse* response, const char *serv, const char *method); virtual int onGetRespSampleXml(IEspContext &context, CHttpRequest* request, CHttpResponse* response, const char *serv, const char *method); virtual int onGetRespSampleJson(IEspContext &context, CHttpRequest* request, CHttpResponse* response, const char *serv, const char *method); diff --git a/esp/bindings/http/platform/httpservice.cpp b/esp/bindings/http/platform/httpservice.cpp index 361252493c0..a15bb95593d 100644 --- a/esp/bindings/http/platform/httpservice.cpp +++ b/esp/bindings/http/platform/httpservice.cpp @@ -406,6 +406,13 @@ int CEspHttpServer::processRequest() if (thebinding!=NULL) { + if (thebinding->isUnrestrictedSSType(stype)) + { + thebinding->onGetUnrestricted(m_request.get(), m_response.get(), serviceName.str(), methodName.str(), stype); + ctx->addTraceSummaryTimeStamp(LogMin, "handleHttp"); + return 0; + } + if(stricmp(method.str(), POST_METHOD)==0) thebinding->handleHttpPost(m_request.get(), m_response.get()); else if(!stricmp(method.str(), GET_METHOD))