Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Enhancement] Validate the Url parameter in Http Subscriber #758

Closed
2 tasks done
jinrongluo opened this issue Feb 7, 2022 · 0 comments
Closed
2 tasks done

[Enhancement] Validate the Url parameter in Http Subscriber #758

jinrongluo opened this issue Feb 7, 2022 · 0 comments
Labels
enhancement New feature or request
Milestone

Comments

@jinrongluo
Copy link
Contributor

Search before asking

  • I had searched in the issues and found no similar issues.

Enhancement Request

Currently in HTTP Subscriber, the url parameter is not being validated by the Eventmesh runtime, and if a invalid url is specified, the event is delivered to this url wrongly. This can cause unwanted result and can be security issue in the Production environment.

Describe the solution you'd like

We need to validate the url parameter in the HTTP subscriber, reject any invalid subscription request.

Are you willing to submit PR?

  • Yes I am willing to submit a PR!
@jinrongluo jinrongluo added the enhancement New feature or request label Feb 7, 2022
jinrongluo added a commit to jinrongluo/incubator-eventmesh that referenced this issue Feb 7, 2022
jinrongluo added a commit to jinrongluo/incubator-eventmesh that referenced this issue Feb 7, 2022
jinrongluo added a commit to jinrongluo/incubator-eventmesh that referenced this issue Feb 7, 2022
jinrongluo added a commit to jinrongluo/incubator-eventmesh that referenced this issue Feb 8, 2022
@xwm1992 xwm1992 closed this as completed in b8891ee Feb 9, 2022
@xwm1992 xwm1992 added this to the 1.4.0 milestone Feb 9, 2022
xwm1992 added a commit that referenced this issue Apr 7, 2022
* update project version to 1.3.0-RELEASE

* Delete gradle/wrapper directory

* update docs

* update Dockerfile and build.gradle

* update build.gradle

* update Dockerfile path

* Update .asf.yaml

disabled protected branch

(cherry picked from commit 4b60e37)

* Update .asf.yaml

(cherry picked from commit a051d06)

* [Infra] trigger branch protection change

(cherry picked from commit d9a9a5b)

* [Infra] retrigger .asf.yaml protections

(cherry picked from commit 8e5a196)

* update some docs

Signed-off-by: qqeasonchen <qqeasonchen@gmail.com>
(cherry picked from commit faf1fc1)

* update Dockerfile path

(cherry picked from commit 2790b78)

* Update java sdk docs (#663)


(cherry picked from commit 56b665b)

* Add files via upload

add pluggable-protocols.png

(cherry picked from commit ce62aa0)

* [Infra] retrigger .asf.yaml protections

(cherry picked from commit 8e5a196)

* Update .asf.yaml

make the master branch under the protected

* [ISSUE #670] fix checkstyle check fail (#680)

fix checkstyle check fail

* [MINOR] Fixed redundant boxing operations (#684)

* [MINOR] new Runnable() can be replaced with lambda (#685)

* gradle

* Anonymous new Runnable() can be replaced with lambda

* Anonymous new Runnable() can be replaced with lambda

* add logger print exception

* [MINOR] ConfigurationWrapper class adds thread pool shutdown (#683)

* gradle

* ConfigurationWrapper class adds thread pool shutdown

* [ISSUE #677] Translate readme files from English to Chinese (#678)

* translate English to Chinese
close #677

* [ISSUE #405]update cloudevents examples (#688)

[Minor #405] update cloudevents examples

* Bump gradle version to 7.3.3 Support Java17 build

* [ISSUE #690]Remove extra code style check job in CI (#691)

Close ISSUE #690.

* Update intro.md (#693)

* Add files via upload (#694)

* [ISSUE #692]Change the default merge strategy to squash (#695)

* Change the default merge strategy to squash
close #692

* [ISSUE #673] update eventmesh-runtime-quickstart-with-docker.md en & cn (#698)

* update eventmesh-runtime-quickstart-with-docker.md en & cn
close #673

* [MINOR] Change Tar and Zip name (#699)

* [Issue #702] Fix Slack Join link (#705)

close #702

* Updated Notice file to 2022 (#704)

* add instruction docs of trace and metrics in eventmesh (#706)

* [ISSUE #405]Fix args typo in examples (#707)

fixed #405

* [ISSUE #696] Add metrics plugin (#709)

1. Add Metrics plugin module
2. Implement opentelemetry metrics module
related issue #696

* [ISSUE #713] Fix trace bug (#712)

* add docs

* change default spanExporter to span

* [Issue #533] Adding design doc for EventMesh Workflow

* [Issue #553] Adding design doc for EventMesh Workflow (#714)

* [Issue #553] update the design doc.

* small updates to doc

Signed-off-by: Tihomir Surdilovic <tihomir@temporal.io>

* small update

Signed-off-by: Tihomir Surdilovic <tihomir@temporal.io>

* adding asyncapi type to event defs

Signed-off-by: Tihomir Surdilovic <tihomir@temporal.io>

* Remove unnecessary call toString (#719)

* [Issue #553] add workflow diagram to the design doc

* Update intro.md (#722)

* Update roadmap.md (#721)

* Missed exception cause (#724)

close #727

* [ISSUE #726] Remove the misleading annotation (#725)

close #726

* [ISSUE #729] Bump netty version (#730)

* Bump netty version
close #729

* [ISSUE #732] Binary package failed to execute (#733)

close #732

* [Issue #735] log4j 2.17.1 (#736)

* log4j 2.17.1

* Update known-dependencies.txt

* Update LICENSE

* fix item mislabeled as MIT when they are ASL

* fix log4j urls https://logging.apache.org/log4j/2.x/log4j-slf4j-impl/license.html

* [MINOR] Remove the unnecessary boxing (#731)

* Use archiveBaseName and archiveVersion to optimize gradle zip task (#728)

* Add environment and version selector in bug_report.yml (#734)

* Fix bug report template (#741)

* add eventmesh-admin-rocketmq into rootProject

* [ISSUE #737] Add Netty license (#738)

close #737

* [Issue #750] junit should only be used in tests (#751)

* junit should only be used in tests

add back assertj

revert assertj changes

build issues

centralise junit dependency

Update build.gradle

* junit 4.12 has a CVE

close #750

* [Issue #752] upgrade httpclient (#753)

* upgrade httpclient

* commons-codec transitive dependency upgrade

close #752

* [Issue-754] upgrade guava (#757)

* upgrade guava

* [Issue #758] validate subscriber Url (#759)

* [Issue #758] validate subscriber Url

* [Issue #758] fix build issue

* [Issue #758] fix checkstyle issue

* [Issue #758] fix license check issue
close #758

* [Issue #655] Adding send message constraints for message size and batch size (#760)

* [Issue #655] Adding send message constraints for message size and batch size

* [MINOR] Fix plugin cannot load properties from classpath (#763)

* [MINOR] Fix plugin cannot load properties from classpath

* Fix callback warning

* [MINOR] Remove unused field in example (#766)

* [MINOR] Allow run script in other directory (#765)

* [MINOR] Fix the hardcode ip address (#767)

* [Issue #768] fix issue in update HTTP subscriber (#769)

* [Issue #768] fix issue in update HTTP subscriber

* [Issue #769] use Serialization to deep clone object and adding equals method to SubscriptionItem

* [Issue #768] fix build checkstyle issue

close #768

* update checkstyle.xml (#773)

add suppresswarnings filter

* Rebase the grpc branch to master branch (#771)

* [Issue #417] Grpc Transport Protocol support (#710)

Grpc Transport Protocol support

* [Issue #417] Create getting started instructions for Grpc transport procotol

* [Issue #417] update Grpc Message Model name to SimpleMessage

* [Issue #417] more update Grpc Message Model name to SimpleMessage

* [Issue #718] Fix readme file and protobuf file based on review comments

* [Issue #745] fix the ack bugs and cloudevent message resolver

* [Issue #744] update SDK API message model

* [Issue #744] fix the gRPC Consumer SubscribeStream Message handler

* [Issue #744] Grpc Request-Reply API support

* [Issue #744] Bug fix for Grpc Request-Reply API support

* [Issue #744] minor fix for Grpc request-Reply API

* [Issue #744] fix infinte message loop in Grpc CloudEvent request-Reply API

* [Issue #744] Fix Grpc subscribe-unsubscribe bug

* [Issue #744] Fix Data models in Grpc Request-Reply API

* [Issue #744] Code optimization for Grpc Request-Reply API

* [Issue #417] support Grpc broadcast async publish

* [Issue #718] add synchronized calls for grpc streamObserver

* supply apache header

* add checkstyle ignore for grpc

* fix checkstyle error

* fix javax.annotation.generated compile error

* fix javax.annotation.generated compile error

* supply dependencies licenses

* update known-dependencies.txt

* update known-dependencies.txt

Co-authored-by: jinrongluo <kapoking@gmail.com>

* [Issue #774] Optimize the object property description of eventmesh client (#775)

* modify: add group field in UserAgent, delete ProducerGroup and ConsumerGroup field

* modify: fix checksyle error

* modify: fix checksyle error in ClientGroupWrapper.java

close #774

* Update roadmap.md (#779)

* [Issue #780] Modify the define level  of EventListener from Topic to Consumer (#781)

* modify: add group field in UserAgent, delete ProducerGroup and ConsumerGroup field

* modify: fix checksyle error

* modify: fix checksyle error in ClientGroupWrapper.java

* modify: move EventListner in the level of Consumer instead of binding with topic in EventMesh

* modify: fix the eventListener level problem in grpc protocal

* modify: fix the eventListener problem in test case

close #780

* [ISSUE #786] remove eventmesh-sdk-java model redundant code (#789)

Co-authored-by: lucky-lsr <hacker_lsr@126.com>
close #786

* Update roadmap.md (#791)

* [ISSUE #783] clean useless code in runtime module (#787)

* [ISSUE #783] clean useless code in runtime module

* format code

close #783

* [ISSUE #696] Add trace plugin (#749)

* add docs

* add trace plugin

* fix ConfigurationWrapperTest error

* fix checkstyle

* fix checkstyle

* [ISSUE #784] Fix words misspell, optimize admin http method code (#792)

close #784

* [Issue #658] Eventmesh Http Support CloudEvents Webhook spec (#772)

* [Issue #658] support CloudEvents Webhook spec

* [Issue #658] create auth-http-basic security module

* [Issue #658] create auth-http-basic security module

* [Issue #658] code refactor for CloudEvents Webhook

* [Issue #658] fix build checkstyles

* [Issue #658] fix javadoc build issue

* [Issue #658] fix javadoc build issue in eventmesh-security-auth-http-basic

* [Issue #658] adding more log to the WebhookUtil

* [Issue #658] address PR review comments.

* [Issue #658] fixed checkstyles issue

Co-authored-by: mike_xwm <mike_xwm@126.com>

* [ISSUE #782] delete invalid code in eventmesh-connector-plugin module (#793)

* [ISSUE #795] Fix doc eventmesh-runtime-quickstart-with-docker.md (#798)

close #795

* [Enhancement] Some suggestions for eventmesh-examples (#794)

* remove invalid code

* read config from file

* extract constants

* format code

close #794

* [Enhancement] compile project with junit error (#802)

Co-authored-by: ylong <ylong.b@gamil.com>
close #796

* [Enhancement] Run CI on all branch (#805)

* [MINOR] sort dependencise before check (#808)

* [ISSUE #806] code optimization and delete invalid code in eventmesh-e… (#807)

* [ISSUE #806] code optimization and delete invalid code in eventmesh-examples module

* use ExampleConstants to hold constants in examples
* delete invalid code

* [ISSUE #806] code optimization and delete invalid code in eventmesh-examples module

Motivation
Code style consistency in log msg

Co-authored-by: fengyongshe <fengyongshe@cmss.chinamobile.com>

close #806

Co-authored-by: xwm1992 <mike_xwm@126.com>
Co-authored-by: Daniel Gruno <humbedooh@apache.org>
Co-authored-by: qqeasonchen <qqeasonchen@gmail.com>
Co-authored-by: Wenjun Ruan <wenjun@apache.org>
Co-authored-by: yangjun <yangjun1120@gmail.com>
Co-authored-by: 李晓双 Li Xiao Shuang <644968328@qq.com>
Co-authored-by: Shoothzj <shoothzj@gmail.com>
Co-authored-by: Junjie Zhou <1192031540@qq.com>
Co-authored-by: ZePeng Chen <84842773+Roc-00@users.noreply.github.com>
Co-authored-by: jinrongluo <kapoking@gmail.com>
Co-authored-by: Tihomir Surdilovic <tihomir@temporal.io>
Co-authored-by: PJ Fanning <pjfanning@users.noreply.github.com>
Co-authored-by: wqliang <wqliang@apache.org>
Co-authored-by: lrhkobe <34571087+lrhkobe@users.noreply.github.com>
Co-authored-by: lucky-lsr <45811620+lucky-lsr@users.noreply.github.com>
Co-authored-by: sarihuangshanrong <280456134@qq.com>
Co-authored-by: TownChen <793847469@qq.com>
Co-authored-by: AhahaGe <ahahage@163.com>
Co-authored-by: SpiritZhang <howtoknow@qq.com>
Co-authored-by: like <likegeek@163.com>
Co-authored-by: beeylong@126.com <29363663+hsld9527@users.noreply.github.com>
Co-authored-by: fengyongshe <fengyongshe@139.com>
xwm1992 pushed a commit that referenced this issue Aug 4, 2022
* [Issue #758] validate subscriber Url

* [Issue #758] fix build issue

* [Issue #758] fix checkstyle issue

* [Issue #758] fix license check issue
close #758
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

2 participants