diff --git a/package.json b/package.json index 61b13a06bffe9..00471d9c6ebf8 100644 --- a/package.json +++ b/package.json @@ -116,7 +116,7 @@ "@hapi/good-squeeze": "6.0.0", "@hapi/h2o2": "^9.0.2", "@hapi/hapi": "^20.0.3", - "@hapi/hoek": "^9.1.0", + "@hapi/hoek": "^9.1.1", "@hapi/inert": "^6.0.3", "@hapi/podium": "^4.1.1", "@hapi/statehood": "^7.0.3", diff --git a/src/core/server/http/http_server.ts b/src/core/server/http/http_server.ts index 42e89b66d9c51..81f7c9c45ba50 100644 --- a/src/core/server/http/http_server.ts +++ b/src/core/server/http/http_server.ts @@ -16,7 +16,7 @@ * specific language governing permissions and limitations * under the License. */ -import { Server, ServerRoute } from '@hapi/hapi'; +import { Server } from '@hapi/hapi'; import HapiStaticFiles from '@hapi/inert'; import url from 'url'; import uuid from 'uuid'; @@ -167,6 +167,8 @@ export class HttpServer { for (const router of this.registeredRouters) { for (const route of router.getRoutes()) { this.log.debug(`registering route handler for [${route.path}]`); + // Hapi does not allow payload validation to be specified for 'head' or 'get' requests + const validate = isSafeMethod(route.method) ? undefined : { payload: true }; const { authRequired, tags, body = {}, timeout } = route.options; const { accepts: allow, maxBytes, output, parse } = body; @@ -174,7 +176,7 @@ export class HttpServer { xsrfRequired: route.options.xsrfRequired ?? !isSafeMethod(route.method), }; - const routeOpts: ServerRoute = { + this.server.route({ handler: route.handler, method: route.method, path: route.path, @@ -182,6 +184,11 @@ export class HttpServer { auth: this.getAuthOption(authRequired), app: kibanaRouteOptions, tags: tags ? Array.from(tags) : undefined, + // TODO: This 'validate' section can be removed once the legacy platform is completely removed. + // We are telling Hapi that NP routes can accept any payload, so that it can bypass the default + // validation applied in ./http_tools#getServerOptions + // (All NP routes are already required to specify their own validation in order to access the payload) + validate, // @ts-expect-error Types are outdated and doesn't allow `payload.multipart` to be `true` payload: [allow, maxBytes, output, parse, timeout?.payload].some((x) => x !== undefined) ? { @@ -197,22 +204,7 @@ export class HttpServer { socket: timeout?.idleSocket ?? this.config!.socketTimeout, }, }, - }; - - // Hapi does not allow payload validation to be specified for 'head' or 'get' requests - if (!isSafeMethod(route.method)) { - // TODO: This 'validate' section can be removed once the legacy platform is completely removed. - // We are telling Hapi that NP routes can accept any payload, so that it can bypass the default - // validation applied in ./http_tools#getServerOptions - // (All NP routes are already required to specify their own validation in order to access the payload) - // TODO: Move the setting of the validate option back up to being set at `routeOpts` creation-time once - // https://github.com/hapijs/hoek/pull/365 is merged and released in @hapi/hoek v9.1.1. At that point I - // imagine the ts-error below will go away as well. - // @ts-expect-error "Property 'validate' does not exist on type 'RouteOptions'" <-- ehh?!? yes it does! - routeOpts.options!.validate = { payload: true }; - } - - this.server.route(routeOpts); + }); } } diff --git a/yarn.lock b/yarn.lock index 956630bafa935..b02ccc4ee436f 100644 --- a/yarn.lock +++ b/yarn.lock @@ -1925,10 +1925,10 @@ "@hapi/hoek" "9.x.x" "@hapi/validate" "1.x.x" -"@hapi/hoek@9.x.x", "@hapi/hoek@^9.0.0", "@hapi/hoek@^9.0.4", "@hapi/hoek@^9.1.0": - version "9.1.0" - resolved "https://registry.yarnpkg.com/@hapi/hoek/-/hoek-9.1.0.tgz#6c9eafc78c1529248f8f4d92b0799a712b6052c6" - integrity sha512-i9YbZPN3QgfighY/1X1Pu118VUz2Fmmhd6b2n0/O8YVgGGfw0FbUYoA97k7FkpGJ+pLCFEDLUmAPPV4D1kpeFw== +"@hapi/hoek@9.x.x", "@hapi/hoek@^9.0.0", "@hapi/hoek@^9.0.4", "@hapi/hoek@^9.1.1": + version "9.1.1" + resolved "https://registry.yarnpkg.com/@hapi/hoek/-/hoek-9.1.1.tgz#9daf5745156fd84b8e9889a2dc721f0c58e894aa" + integrity sha512-CAEbWH7OIur6jEOzaai83jq3FmKmv4PmX1JYfs9IrYcGEVI/lyL1EXJGCj7eFVJ0bg5QR8LMxBlEtA+xKiLpFw== "@hapi/inert@^6.0.3": version "6.0.3"