diff options
| author | jonmv <venstad@gmail.com> | 2022-04-11 11:06:30 +0200 |
|---|---|---|
| committer | jonmv <venstad@gmail.com> | 2022-04-11 11:06:30 +0200 |
| commit | 016161433518cf30d3893f4d3b97f15e628bca3e (patch) | |
| tree | de8030f99ac0901aa3e6911e0d54c4feaf592118 | |
| parent | 345522047cba49c3f2d1c2bb19a4dd1ced27f0d4 (diff) | |
Add comment about why there is no path segment validation in rule filter
| -rw-r--r-- | jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/rule/RuleBasedRequestFilter.java | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/rule/RuleBasedRequestFilter.java b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/rule/RuleBasedRequestFilter.java index fb74a3e2954..c5ec08e23cb 100644 --- a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/rule/RuleBasedRequestFilter.java +++ b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/rule/RuleBasedRequestFilter.java @@ -118,6 +118,8 @@ public class RuleBasedRequestFilter extends JsonSecurityRequestFilterBase { boolean methodMatches = methods.isEmpty() || methods.contains(method.toUpperCase()); String host = uri.getHost(); boolean hostnameMatches = hostnames.isEmpty() || (host != null && hostnames.contains(host)); + // Path segments cannot be validated in this filter, as we don't know what API it protects. + // Specifically, /document/v1 must allow _any_ rest path segment, as there is no restriction on document IDs. boolean pathMatches = pathGlobExpressions.isEmpty() || pathGlobExpressions.stream().anyMatch(Path.withoutValidation(uri)::matches); return methodMatches && hostnameMatches && pathMatches; } |