Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make sure file proxy endpoint only serves JSON or YAML #417

Merged
merged 1 commit into from
Oct 28, 2024
Merged

Make sure file proxy endpoint only serves JSON or YAML #417

merged 1 commit into from
Oct 28, 2024

Conversation

ulrikandersen
Copy link
Contributor

@ulrikandersen ulrikandersen commented Oct 25, 2024
edited
Loading

Description

This PR adds logic to the /api/proxy endpoint which ensures we only serve valid JSON or YAML.

Motivation and Context

This important because we could otherwise risk serving HTML which may contain malicious JavaScript (XSS).

The file's text is parsed using the yaml library. If it is parsed correctly we return the file's text. If not we return an error.

We can parse both JSON and YAML it using the yaml library because JSON is a subset of YAML.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)

simonbs
simonbs approved these changes Oct 28, 2024
View reviewed changes
Copy link
Contributor

@simonbs simonbs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚀

@ulrikandersen
Make sure file proxy endpoint only serves JSON or YAML
30d3a0b 
Does so by parsing the file's text using the yaml library. If it is parsed correctly we return the file's text. If not we return an error.
@ulrikandersen ulrikandersen force-pushed the fix/make-sure-proxy-only-serves-json-or-yaml branch from 81744ee to 30d3a0b Compare October 28, 2024 08:25
@ulrikandersen ulrikandersen merged commit d30afb0 into develop Oct 28, 2024
7 checks passed
@ulrikandersen ulrikandersen deleted the fix/make-sure-proxy-only-serves-json-or-yaml branch October 28, 2024 08:28
This was referenced Oct 28, 2024
Merged
Merged
@simonbs simonbs requested a review from Copilot November 19, 2024 19:41
Copilot
Copilot AI reviewed Nov 19, 2024
View reviewed changes

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot reviewed 1 out of 1 changed files in this pull request and generated no suggestions.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot Copilot left review comments

@simonbs simonbs simonbs approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ulrikandersen @simonbs