-
Notifications
You must be signed in to change notification settings - Fork 24.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow for customised content-type validation #80906
Allow for customised content-type validation #80906
Conversation
In order to support additional media types in request body a custom validation has to be supported. This commit moves validation from RestController to RestHandler interface (default) and allows new RestHandler implementations to provide its custom implementation closes elastic#80482
@elasticmachine update branch |
…asticsearch into custom_media_type_validation
@elasticmachine update branch |
Pinging @elastic/es-core-infra (Team:Core/Infra) |
Hi @pgomulka, I've created a changelog YAML for you. |
@@ -76,8 +73,8 @@ default boolean allowSystemIndexAccessByDefault() { | |||
return false; | |||
} | |||
|
|||
default MediaTypeRegistry<? extends MediaType> validAcceptMediaTypes() { | |||
return XContentType.MEDIA_TYPE_REGISTRY; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just for my own learning, was nobody using this interface method before? Do we need to still report somewhere that the default supported media type is MEDIA_TYPE_REGISTRY?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, it was not used. I added it in #64406 (comment) (see the description) but the validation of Accept header was never implemented.
In fact, the mediaTypesValid
added in this PR could be used for this.
The goal of this PR is to make it less strict though - to allow RestHandlers which intentionally want to implement their own Content-Type
validation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
@pgomulka On the original issue we discussed maintaining CSRF protection by continuing to reject any of the safelisted content types. It doesn't look like this PR does that. Was that intentional? |
great find @tvernum . It wasn't intentional, it was a while when I read the discussion and assumed the PR was ready. |
The commit to allow custom media types validation accidentally allowed for CSRF. The rules for media types which should be rejected on content-type were mentioned here PR that introduced a bug: elastic#80906 the comment that describes safelisted media types to be rejected elastic#80482 (comment)
In order to support additional media types in request body a custom
validation has to be supported.
This commit moves validation from RestController to RestHandler
interface (default) and allows new RestHandler implementations to
provide its custom implementation
closes #80482
gradle check
?