Change in asterixdb[cheshire-cat]: [NO ISSUE] Restrict UDF modification

Sat, 10 Apr 2021 01:10:11 -0700 

>From Ian Maxon <ima...@uci.edu>:

Ian Maxon has uploaded this change for review. ( 
https://asterix-gerrit.ics.uci.edu/c/asterixdb/+/11003 )


Change subject: [NO ISSUE] Restrict UDF modification
......................................................................

[NO ISSUE] Restrict UDF modification

Change-Id: I2cc23138793ae562cfa42c841b3bc4202391d9a1
---
M 
asterixdb/asterix-app/src/main/java/org/apache/asterix/api/http/server/NCUdfApiServlet.java
1 file changed, 34 insertions(+), 2 deletions(-)



  git pull ssh://asterix-gerrit.ics.uci.edu:29418/asterixdb 
refs/changes/03/11003/1

diff --git 
a/asterixdb/asterix-app/src/main/java/org/apache/asterix/api/http/server/NCUdfApiServlet.java
 
b/asterixdb/asterix-app/src/main/java/org/apache/asterix/api/http/server/NCUdfApiServlet.java
index fec0b38..877e725 100644
--- 
a/asterixdb/asterix-app/src/main/java/org/apache/asterix/api/http/server/NCUdfApiServlet.java
+++ 
b/asterixdb/asterix-app/src/main/java/org/apache/asterix/api/http/server/NCUdfApiServlet.java
@@ -295,14 +295,46 @@
         responseWriter.flush();
     }

+    private boolean isReqOnLoopBack(IServletRequest request, IServletResponse 
response) {
+        if (request.getLocalAddress() == null || 
!request.getLocalAddress().getAddress().isLoopbackAddress()) {
+            rejectNonLoopback(response);
+            return false;
+        }
+        return true;
+    }
+
+    protected List<String> getBadHeaders() {
+        return Collections.emptyList();
+    }
+
+    private boolean containsBadHeaders(IServletRequest request, 
IServletResponse response) {
+        List<String> badHeaders = getBadHeaders();
+        for (Map.Entry<String, String> header : 
request.getHttpRequest().headers()) {
+            if (badHeaders.contains(header.getKey())) {
+                rejectNonLoopback(response);
+                return true;
+            }
+        }
+        return false;
+    }
+
+    private static void rejectNonLoopback(IServletResponse response) {
+        response.setStatus(HttpResponseStatus.FORBIDDEN);
+        response.writer().write("{ \"error\": \"Forbidden\" }");
+    }
+
     @Override
     protected void post(IServletRequest request, IServletResponse response) {
-        handleModification(request, response, LibraryOperation.UPSERT);
+        if (isReqOnLoopBack(request, response) && !containsBadHeaders(request, 
response)) {
+            handleModification(request, response, LibraryOperation.UPSERT);
+        }
     }

     @Override
     protected void delete(IServletRequest request, IServletResponse response) {
-        handleModification(request, response, LibraryOperation.DELETE);
+        if (isReqOnLoopBack(request, response) && !containsBadHeaders(request, 
response)) {
+            handleModification(request, response, LibraryOperation.DELETE);
+        }
     }

 }

--
To view, visit https://asterix-gerrit.ics.uci.edu/c/asterixdb/+/11003
To unsubscribe, or for help writing mail filters, visit 
https://asterix-gerrit.ics.uci.edu/settings

Gerrit-Project: asterixdb
Gerrit-Branch: cheshire-cat
Gerrit-Change-Id: I2cc23138793ae562cfa42c841b3bc4202391d9a1
Gerrit-Change-Number: 11003
Gerrit-PatchSet: 1
Gerrit-Owner: Ian Maxon <ima...@uci.edu>
Gerrit-MessageType: newchange

Reply via email to