feat(raf-993): signing of open payments http payload.#3407
Conversation
✅ Deploy Preview for brilliant-pasca-3e80ec canceled.
|
🚀 Performance Test ResultsTest Configuration:
Test Metrics:
📜 Logs |
| app.post('/http-signature-verify', async function handler(ffReq, ffReply) { | ||
| const requestBody = JSON.parse(JSON.stringify(ffReq.body)) | ||
| if (!validateBodyVerifySignature(requestBody as RequestBodySignatureVerify)) { | ||
| return { | ||
| statusCode: '400', | ||
| body: 'Insufficient data in request body' | ||
| } | ||
| } | ||
| const { method, url, headers, body } = requestBody | ||
|
|
||
| if (!headers['signature'] || !headers['signature-input']) { | ||
| return { | ||
| statusCode: '400', | ||
| body: '[signature-input] and/or [signature] headers are missing' | ||
| } | ||
| } | ||
|
|
||
| if (!validateSignatureHeaders({ | ||
| method, | ||
| url, | ||
| headers, | ||
| body | ||
| })) { | ||
| return { | ||
| statusCode: '401', | ||
| body: 'Signature verification failed' | ||
| } | ||
| } | ||
|
|
||
| ffReply.code(200).send({ | ||
| signatureVerified: true | ||
| }) | ||
| }) |
Check failure
Code scanning / CodeQL
Missing rate limiting High test
| const interactResponse = await fetch(startInteractionUrl, { | ||
| redirect: 'manual' // dont follow redirects | ||
| }) |
Check failure
Code scanning / CodeQL
Server-side request forgery Critical test
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 year ago
To fix the issue, we need to ensure that the startInteractionUrl is validated before being used in the fetch call. The best approach is to implement an allow-list mechanism for acceptable domains or URLs. This ensures that only predefined, trusted URLs can be used, effectively mitigating the SSRF vulnerability.
Steps to fix:
- Introduce an allow-list of trusted domains or URLs.
- Validate the
startInteractionUrlagainst this allow-list before using it in thefetchcall. - Reject requests with invalid or untrusted URLs, returning an appropriate error response.
| @@ -195,2 +195,12 @@ | ||
|
|
||
| // Validate startInteractionUrl | ||
| const allowedDomains = ['https://trusted-domain.com', 'https://another-trusted-domain.com']; | ||
| const isValidUrl = allowedDomains.some(domain => startInteractionUrl.startsWith(domain)); | ||
| if (!isValidUrl) { | ||
| return { | ||
| statusCode: '400', | ||
| body: `Invalid startInteractionUrl: '${startInteractionUrl}'` | ||
| } | ||
| } | ||
|
|
||
| // Start interaction |
| const acceptResponse = await fetch(acceptUrl, { | ||
| method: 'POST', | ||
| headers: { | ||
| 'x-idp-secret': idpSecret, | ||
| cookie | ||
| } | ||
| }) |
Check failure
Code scanning / CodeQL
Server-side request forgery Critical test
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 year ago
To fix the SSRF vulnerability, we need to ensure that the interactionServer value is validated before it is used to construct the acceptUrl. The best approach is to implement an allow-list of permitted hostnames or base URLs for interactionServer. This ensures that only predefined, trusted values can be used in the outgoing request.
Steps to fix:
- Define an allow-list of trusted base URLs for
interactionServer. - Validate the
interactionServervalue against this allow-list before constructing theacceptUrl. - Reject requests with invalid or untrusted
interactionServervalues.
Changes needed:
- Add a validation function to check
interactionServeragainst the allow-list. - Modify the
/consent-interactionhandler to validateinteractionServerbefore constructing the URL.
| @@ -195,2 +195,11 @@ | ||
|
|
||
| // Validate interactionServer | ||
| const allowedServers = ['https://trusted-server1.com', 'https://trusted-server2.com']; | ||
| if (!allowedServers.includes(interactionServer)) { | ||
| return { | ||
| statusCode: '400', | ||
| body: `Invalid interactionServer: '${interactionServer}'` | ||
| } | ||
| } | ||
|
|
||
| // Start interaction |
|
@koekiebox closing this one, we will tackle this separately for rafiki-v2 |
Changes proposed in this pull request
Context
Checklist
fixes #numberuser-docslabel (if necessary)