Api/deny query strings (#193)

* Deny http requests with unknown query strings
* Add /didcomm as didcomm proxy endpoint
* Bump version to 2.5.0

Signed-off-by: Patrik Stas <[email protected]>

Author: Patrik-Stas

vcxagency-client/test/e2e/shared/agency-flows.spec.js

@@ -30,6 +30,7 @@ const { vcxFlowCreateAgentConnection } = require('vcxagency-client/src')
 const { vcxFlowFullOnboarding } = require('vcxagency-client/src')
 const { indyGenerateWalletKey } = require('easy-indysdk')
 const { indyOpenWallet } = require('easy-indysdk')
+const axios = require('axios')
 
 let aliceWalletName
 let aliceWalletKey
@@ -160,3 +161,22 @@ describe('healthchecks', () => {
     expect(success).toBe('true')
   })
 })
+
+describe('query params', () => {
+  it('should return bad request if unknown query parameter is specified', async () => {
+    let err
+    try {
+      await axios.get(`${agencyUrl}/agency?foobar=123`)
+    } catch (error) {
+      err = error
+    }
+    expect(err).toBeDefined()
+    expect(err.response.status === 400)
+  })
+})
+
+describe('query params', () => {
+  it('should return bad request if known query parameter is specified', async () => {
+    await axios.get(`${agencyUrl}/agency?timeout=10`)
+  })
+})

vcxagency-node/src/api/middleware.js

@@ -57,6 +57,22 @@ module.exports.asyncHandler = function asyncHandler (fn) {
   }
 }
 
+module.exports.buildDenyQueryStringsMiddleware = function buildDenyQueryStringsMiddleware (allowedQueryKeys) {
+  const allowedQueryKeysSet = new Set(allowedQueryKeys)
+  return function denyQueryStrings (req, res, next) {
+    const queryKeys = Object.keys(req.query)
+    if (queryKeys.length > 0) {
+      if (queryKeys.length === 1 && allowedQueryKeysSet.has(queryKeys[0])) {
+        next()
+      } else {
+        return res.status(400).send()
+      }
+    } else {
+      next()
+    }
+  }
+}
+
 module.exports.logRequestsWithBody = function logRequestsWithBody (req, res, next) {
   logger.info(`${req.method} ${req.originalUrl} Request body: ${JSON.stringify(req.body)}`)
   next()

vcxagency-node/src/execution/server.js

@@ -31,7 +31,7 @@ const apiProxy = require('../api/api-proxy')
 const {
   logRequestsWithBody,
   setReqId,
-  finalExpressHandlers
+  finalExpressHandlers, buildDenyQueryStringsMiddleware
 } = require('../api/middleware')
 
 function createWebServer (expressApp, enableTls, tlsCertPath, tlsKeyPath, logger) {
@@ -51,6 +51,7 @@ function createWebServer (expressApp, enableTls, tlsCertPath, tlsKeyPath, logger
 async function setupExpressApp (expressApp, application, appConfig) {
   const { entityForwardAgent, serviceNewMessagesV1, serviceNewMessagesV2 } = application
   logger.info('Setting up express endpoints and middleware.')
+  expressApp.use(buildDenyQueryStringsMiddleware(['timeout']))
 
   if (appConfig.DANGEROUS_HTTP_DETAILS === true) {
     logger.warn('** DANGEROUS, FULL HTTP REQUESTS WILL BE LOGGED **')
@@ -71,15 +72,15 @@ async function setupExpressApp (expressApp, application, appConfig) {
 
   const maxRequestSizeKb = appConfig.SERVER_MAX_REQUEST_SIZE_KB
   if (appConfig.PROXY_TARGET_URL) {
-    const proxyPrefix = '/api/proxy'
-    logger.info(`Requests to ${proxyPrefix} will be forwarded to ${appConfig.PROXY_TARGET_URL}`)
+    const proxyPrefixes = ['/api/proxy', '/didcomm']
+    logger.info(`Requests to ${proxyPrefixes} will be forwarded to ${appConfig.PROXY_TARGET_URL}`)
     const routerProxy = express.Router()
     routerProxy.use(bodyParser.raw({
       inflate: false,
       limit: `${maxRequestSizeKb}kb`
     }))
-    expressApp.use(proxyPrefix, routerProxy)
-    apiProxy(routerProxy, proxyPrefix, appConfig.PROXY_TARGET_URL)
+    expressApp.use(proxyPrefixes, routerProxy)
+    apiProxy(routerProxy, proxyPrefixes, appConfig.PROXY_TARGET_URL)
   }
 
   logger.info('Setting up express Aries API.')

version.json

@@ -1,5 +1,5 @@
 {
   "major": 2,
-  "minor": 4,
+  "minor": 5,
   "patch": 0
 }