Bug: New AWS-WAF Rule Breaks EZID-Related Tests

[artntek]

Many tests that communicate with the prod website at https://ezid.cdlib.org include a _target url in the POST request body. On 5/11/23, security was updated for the public site, and application of a new AWS-WAF Rule means that requests are denied with a 403 Unauthorized error if the body contains a url that includes localhost or 127.0.0.1. This is populated from the metacat.properties server.name value, which is typically set to localhost, thus causing the test failures.

Here is the new definition:

   {
        "ruleGroupId": "AWS#AWSManagedRulesCommonRuleSet",
        "terminatingRule": {
          "ruleId": "EC2MetaDataSSRF_BODY",
          "action": "BLOCK",
          "overriddenAction": "BLOCK",
          "ruleMatchDetails": null
        },
        "nonTerminatingMatchingRules": [],
        "excludedRules": null,
        "customerConfig": null
   }

Instead of using the properties value, therefore, the tests should be changed to substitute a dummy hostname, without needing to affect all the other tests.

Epic #1608

[mbjones]

What is _target used for in the request? Does changing it from server.name adversely affect operations, or is it just superfluous? If it's superfluous, can we just eliminate it?

[artntek]

I believe it's a callback link from the ezid site to the metacatui page that would display the dataset being referenced. Are you advocating eliminating it altogether, or just eliminating it in the test calls? (I already have a fix that substitutes a dummy hostname via mock Properties for the tests)

[mbjones]

I'm not advocating anything yet, just trying to understand what is was used for, and why you could change it with impunity and still have tests pass.

[artntek]

got it. Yeah - it's not part of the test, and its content is not validated by the ezid site as part of the POST (apart from the new filtering to exclude localhost references). I don't know if it's a required field or not - but the mock value works OK

[artntek]

merged #1626