[google-appengine] How to protect for Host Header Injection in Endpoints on AppEngine

2020-07-15 Thread Alexandru Gogan 
Hi everyone, 
I'm seeing some odd behaviour with App Engine Flex and Cloud Endpoints that 
might be prone to Host Header Injection.

If I send a request to the root domain of my API running on AppEngine Flex 
with Cloud Endpoints, with a specified HOST header, the content of the 
specified host is loaded as the content if the redirects are followed.

Request:
GET / HTTP/1.1
Host: api.my-domain.com
HOST: evil.host.com

Response:
302 to resolved domain http://evil.host.com/some-evil-url.html

As far as I understood from the Endpoints Team, there is no way to 
configure the ESP to check the headers for the origin host and reject based 
on an allowed list or pattern. 
With AppEngine Flex it would be the responsibility of the application to 
handle this. 
However if the request is made against the root path, my application does 
not receive the request to handle it. 

According to the documentation 
https://cloud.google.com/endpoints/docs/openapi/openapi-limitations#operations_on_url_root_path_
it is not possible to provide an implementation for the root path.

Are there any other ways to prevent this behaviour and protect against Host 
Header Injection?





-- 
You received this message because you are subscribed to the Google Groups 
"Google App Engine" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to google-appengine+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/google-appengine/c9082988-27db-49c7-a131-c39bead0ba4cn%40googlegroups.com.

Re: [google-appengine] Re: GAE Web app sending mail using SendGrid

2020-07-15 Thread Adam Jack 
I don't know the background here, but in case any of this helps:

Do you have an API key from SendGrid?

   https://app.sendgrid.com/settings/api_keys

In your appengine-web.xml  set the environment variable to pass that API
key into:


  




https://cloud.google.com/appengine/docs/standard/java/config/appref


Sorry if I am off base, it just looks similar to what I am doing (with Go.)


regards,

Adam

On Wed, Jul 15, 2020 at 6:20 AM Alexis CAPGEMINI <
alexis.capgem...@radiall.com> wrote:

> Can you please explain how you did this ?
>
> I'm still stuck with an error here :  SendGrid sendgrid = new
> SendGrid( System.getenv("SENDGRID_SENDER"));
>
> Thanks
>
> Le vendredi 7 septembre 2018 à 18:02:44 UTC+2, rashmi...@gmail.com a
> écrit :
>
>> I have solved the problem. I had to use Urlfetch configuration in
>> appengine-web.xml and use URLFetch class instead of HttpURLConnection. It
>> works now. Thanks for the help!
>>
>>
>> On Saturday, August 25, 2018 at 1:08:16 AM UTC+5:30, George (Cloud
>> Platform Support) wrote:
>>>
>>> If you would like us to look more in-depth in the issue, you should
>>> write a private message with your project ID. You can do this using the
>>> drop-down menu of the reply button, at the top-right of the message window.
>>>
>> --
> You received this message because you are subscribed to the Google Groups
> "Google App Engine" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to google-appengine+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/google-appengine/21e0c86a-886a-491b-a57d-cd4d72b4e02cn%40googlegroups.com
> 
> .
>


-- 
Responserack
- incidents happen, response is crafted...
https://www.responserack.com | LinkedIn
 | Facebook
 | Twitter


-- 
You received this message because you are subscribed to the Google Groups 
"Google App Engine" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to google-appengine+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/google-appengine/CAMT-FFKdRnu8Ajr5CrdCXCYf9Uk-OsecionwZfcP2NBRLnj1_Q%40mail.gmail.com.

Re: [google-appengine] Re: GAE Web app sending mail using SendGrid

2020-07-15 Thread Alexis CAPGEMINI 
Can you please explain how you did this ?

I'm still stuck with an error here :  SendGrid sendgrid = new SendGrid( 
System.getenv("SENDGRID_SENDER"));  

Thanks

Le vendredi 7 septembre 2018 à 18:02:44 UTC+2, rashmi...@gmail.com a écrit :

> I have solved the problem. I had to use Urlfetch configuration in 
> appengine-web.xml and use URLFetch class instead of HttpURLConnection. It 
> works now. Thanks for the help!
>
>
> On Saturday, August 25, 2018 at 1:08:16 AM UTC+5:30, George (Cloud 
> Platform Support) wrote:
>>
>> If you would like us to look more in-depth in the issue, you should write 
>> a private message with your project ID. You can do this using the drop-down 
>> menu of the reply button, at the top-right of the message window. 
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Google App Engine" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to google-appengine+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/google-appengine/21e0c86a-886a-491b-a57d-cd4d72b4e02cn%40googlegroups.com.

[google-appengine] Re: Google App Engine: versioning with custom sub domains

2020-07-15 Thread 'Alex Fox' via Google App Engine 
Hey Alexander,

This sounds like the functionality I want. Perhaps I need to experiment 
with a wild card certificate and avoid using the sub domains. 

Thanks,
Alex

On Tuesday, July 14, 2020 at 4:04:38 PM UTC+1 a.not...@gmail.com wrote:

> Alex,
>
> We are doing just what you describe, although we do it under the naked 
> domain.
>
> we have app.io pointing to appengine, which has a wildcard certificate 
> mapped.
> My appengine settings for custom domain are like this:
>
> custom domain name | cert | record type | data | alias
> *.app.io  | wildcard-certificate |  cname |  ghs.googlehosted.com. |   *
> app.io  | wildcard-certificate |  A |  xx.xx.xx.xx |  (none)
>
>
> all requests for app.io go to the default version.  We also have a 
> release candidate version deployed, named 'rc'
> Without any configuring all request for rc.app.io go automagically to the 
> rc version.
>
> This only works when you have the wildcard certifcate in place.  Just 
> adding custom domain mappings for each version will not work.
>
>
>
> Alexander
>
> On Friday, 10 July 2020 20:20:15 UTC+2, Alex Fox wrote:
>>
>> I'm trying to setup GAE with a custom sub domain and a specific version 
>> url.
>>
>> For example I have an app running with the following setup
>> *VERSION_ID: 1234*
>> *SERVICE_ID: my-app*
>> *PROJECT_ID: my-project*
>>
>> The provided url *https://1234-dot-my-app-dot-my-project.ew.r.appspot.com 
>> * works fine. 
>> But I can't get to work with my custom domain + sub domain. Googles 
>> documentation states the following urls are the same:
>>
>> *https://VERSION_ID-dot-default-dot-PROJECT_ID.REGION_ID.r.appspot.com 
>> *
>> *https://VERSION_ID.CUSTOM_DOMAIN *
>>
>> But when visiting *1234.api.mycustomdomain.com 
>> * it does not work. However 
>> *api.mycustomdomain.com 
>> * works, pointing to the latest running 
>> version of *my-app*
>>
>> What am I missing?
>> Thanks.
>>  
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Google App Engine" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to google-appengine+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/google-appengine/9f7011b7-f5bf-45e6-b98f-13e246d9561fn%40googlegroups.com.