Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Warn against potentially risky hostPrefixes #779

Merged
merged 1 commit into from
Apr 26, 2021
Merged

Warn against potentially risky hostPrefixes #779

merged 1 commit into from
Apr 26, 2021

Conversation

JordonPhillips
Copy link
Contributor

This updates the documentation and adds a warning for the case where a hostPrefix contains a host label but does not end in a period. This is potentially risky since it could change the domain to something that the modeler doesn't control. For example, a host label of {foo} combined with a configured endpoint example.com could result in a resolved host of mistakeexample.com when the modeler wanted it to resolve to mistake.example.com. If the modeler doesn't own EVERY domain suffixed by the configured endpoint then it is possible that customer data will be exposed.

Resolves #778

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@mullermp
Copy link
Contributor

Thanks for addressing the issue. The hostLabel documentation
has an example @endpoint(hostPrefix: "{foo}.data"). Could this be changed too?

@JordonPhillips
Copy link
Contributor Author

Whoops, that was actually a bug - the other example on the page and the json version of that same example all end in periods

@JordonPhillips
Warn against potentially risky hostPrefixes
f983869 
This updates the documentation and adds a warning for the case where
a `hostPrefix` contains a host label but does not end in a period.
This is potentially risky since it could change the domain to
something that the modeler doesn't control. For example, a host
label of `{foo}` combined with a configured endpoint `example.com`
could result in a resolved host of `mistakeexample.com` when the
modeler wanted it to resolve to `mistake.example.com`. If the modeler
doesn't own EVERY domain suffixed by the configured endpoint then
it is possible that customer data will be exposed.
@JordonPhillips JordonPhillips merged commit 0d01385 into smithy-lang:main Apr 26, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@srchase srchase srchase approved these changes

@kstich kstich kstich approved these changes

@mtdowling mtdowling Awaiting requested review from mtdowling

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

hostPrefix property in endpoint trait should validate prefix ends in dot (.)
4 participants
@JordonPhillips @mullermp @srchase @kstich