Allow for customised content-type validation #80906

pgomulka · 2021-11-22T15:59:55Z

In order to support additional media types in request body a custom
validation has to be supported.
This commit moves validation from RestController to RestHandler
interface (default) and allows new RestHandler implementations to
provide its custom implementation

closes #80482

Have you signed the contributor license agreement?
Have you followed the contributor guidelines?
If submitting code, have you built your formula locally prior to submission with gradle check?
If submitting code, is your pull request against master? Unless there is a good reason otherwise, we prefer pull requests against master and will backport as needed.
If submitting code, have you checked that your submission is for an OS and architecture that we support?
If you are submitting this code for a class then read our policy for that.

In order to support additional media types in request body a custom validation has to be supported. This commit moves validation from RestController to RestHandler interface (default) and allows new RestHandler implementations to provide its custom implementation closes elastic#80482

…_validation

pgomulka · 2021-11-23T14:12:37Z

@elasticmachine update branch

…asticsearch into custom_media_type_validation

pgomulka · 2022-01-17T09:39:13Z

@elasticmachine update branch

elasticmachine · 2022-01-17T10:41:39Z

Pinging @elastic/es-core-infra (Team:Core/Infra)

elasticsearchmachine · 2022-01-17T10:43:16Z

Hi @pgomulka, I've created a changelog YAML for you.

grcevski · 2022-01-17T18:29:43Z

server/src/main/java/org/elasticsearch/rest/RestHandler.java

@@ -76,8 +73,8 @@ default boolean allowSystemIndexAccessByDefault() {
        return false;
    }

-    default MediaTypeRegistry<? extends MediaType> validAcceptMediaTypes() {
-        return XContentType.MEDIA_TYPE_REGISTRY;


Just for my own learning, was nobody using this interface method before? Do we need to still report somewhere that the default supported media type is MEDIA_TYPE_REGISTRY?

yes, it was not used. I added it in #64406 (comment) (see the description) but the validation of Accept header was never implemented.
In fact, the mediaTypesValid added in this PR could be used for this.
The goal of this PR is to make it less strict though - to allow RestHandlers which intentionally want to implement their own Content-Type validation

grcevski

LGTM!

tvernum · 2022-01-27T05:33:29Z

@pgomulka On the original issue we discussed maintaining CSRF protection by continuing to reject any of the safelisted content types.

It doesn't look like this PR does that. Was that intentional?

pgomulka · 2022-01-27T08:17:39Z

great find @tvernum . It wasn't intentional, it was a while when I read the discussion and assumed the PR was ready.
I missed that the explicit check for XContentType values on Content-Type header was preventing the safelisted to be sent.. I will follow up in a new PR to fix this.
thanks again!

The commit to allow custom media types validation accidentally allowed for CSRF. The rules for media types which should be rejected on content-type were mentioned here PR that introduced a bug: #80906 the comment that describes safelisted media types to be rejected #80482 (comment)

The commit to allow custom media types validation accidentally allowed for CSRF. The rules for media types which should be rejected on content-type were mentioned here PR that introduced a bug: elastic#80906 the comment that describes safelisted media types to be rejected elastic#80482 (comment)

pgomulka added the WIP label Nov 22, 2021

pgomulka self-assigned this Nov 22, 2021

elasticsearchmachine added the v8.1.0 label Nov 22, 2021

pgomulka added 2 commits November 22, 2021 17:06

Merge remote-tracking branch 'upstream/master' into custom_media_type…

14af64b

…_validation

fix default method

4260232

elasticmachine and others added 3 commits November 23, 2021 06:12

Merge branch 'master' into custom_media_type_validation

ce360c7

avoid possible npe

5cf315b

Merge branch 'custom_media_type_validation' of github.com:pgomulka/el…

d56f3ef

…asticsearch into custom_media_type_validation

Merge branch 'master' into custom_media_type_validation

8f70c28

pgomulka marked this pull request as ready for review January 17, 2022 10:41

pgomulka added :Core/Infra/REST API REST infrastructure and utilities and removed WIP labels Jan 17, 2022

elasticmachine added the Team:Core/Infra Meta label for core/infra team label Jan 17, 2022

pgomulka added the >enhancement label Jan 17, 2022

Update docs/changelog/80906.yaml

bec9d69

grcevski reviewed Jan 17, 2022

View reviewed changes

grcevski approved these changes Jan 24, 2022

View reviewed changes

pgomulka merged commit c8d98cf into elastic:master Jan 25, 2022

pgomulka mentioned this pull request Feb 3, 2022

Do not allow safelisted media types on Content-Type #83448

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Allow for customised content-type validation #80906

Allow for customised content-type validation #80906

pgomulka commented Nov 22, 2021

pgomulka commented Nov 23, 2021

pgomulka commented Jan 17, 2022

elasticmachine commented Jan 17, 2022

elasticsearchmachine commented Jan 17, 2022

grcevski Jan 17, 2022

pgomulka Jan 24, 2022

grcevski left a comment

tvernum commented Jan 27, 2022

pgomulka commented Jan 27, 2022

Allow for customised content-type validation #80906

Allow for customised content-type validation #80906

Conversation

pgomulka commented Nov 22, 2021

pgomulka commented Nov 23, 2021

pgomulka commented Jan 17, 2022

elasticmachine commented Jan 17, 2022

elasticsearchmachine commented Jan 17, 2022

grcevski Jan 17, 2022

Choose a reason for hiding this comment

pgomulka Jan 24, 2022

Choose a reason for hiding this comment

grcevski left a comment

Choose a reason for hiding this comment

tvernum commented Jan 27, 2022

pgomulka commented Jan 27, 2022