fix: Security Fixes for RESTful APIs

[divyaruhil]

Fix for Issue :- #41128

[sre-ci-robot]

Welcome @divyaruhil! It looks like this is your first PR to milvus-io/milvus 🎉

[mergify]

@divyaruhil Thanks for your contribution. Please submit with DCO, see the contributing guide https://github.com/milvus-io/milvus/blob/master/CONTRIBUTING.md#developer-certificate-of-origin-dco.

[mergify]

@divyaruhil

Invalid PR Title Format Detected

Your PR submission does not adhere to our required standards. To ensure clarity and consistency, please meet the following criteria:

1. Title Format: The PR title must begin with one of these prefixes:

• feat: for introducing a new feature.
• fix: for bug fixes.
• enhance: for improvements to existing functionality.
• test: for add tests to existing functionality.
• doc: for modifying documentation.
• auto: for the pull request from bot.

2. Description Requirement: The PR must include a non-empty description, detailing the changes and their impact.

Required Title Structure:

[Type]: [Description of the PR]

Where Type is one of feat, fix, enhance, test or doc.

Example:

enhance: improve search performance significantly 

Please review and update your PR to comply with these guidelines.

[codecov]

Codecov Report

Attention: Patch coverage is 78.94737% with 8 lines in your changes missing coverage. Please review.

Project coverage is 80.57%. Comparing base (1e65e32) to head (65c145e).
Report is 6 commits behind head on master.

Files with missing lines	Patch %	Lines
internal/distributed/proxy/httpserver/utils.go	27.27%	7 Missing and 1 partial ⚠️

Additional details and impacted files

@@             Coverage Diff             @@
##           master   #41136       +/-   ##
===========================================
+ Coverage   73.93%   80.57%    +6.64%     
===========================================
  Files         330     1509     +1179     
  Lines       30068   213372   +183304     
===========================================
+ Hits        22230   171929   +149699     
- Misses       7838    35267    +27429     
- Partials        0     6176     +6176     

Components	Coverage Δ
Client	79.38% <ø> (∅)
Core	73.89% <ø> (-0.04%)	⬇️
Go	81.91% <78.94%> (∅)

Files with missing lines	Coverage Δ
pkg/util/paramtable/http_param.go	100.00% <100.00%> (ø)
internal/distributed/proxy/httpserver/utils.go	83.96% <27.27%> (ø)

... and 1179 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[divyaruhil]

Hey @cydrain @czs007 , Whenever your schedule allows, I'd be grateful for your review.

[czs007]

@divyaruhil thanks.

There appears to be a minor issue with the code formatting. Please refer to the information provided below:
diff internal/distributed/proxy/httpserver/utils.go.orig internal/distributed/proxy/httpserver/utils.go
--- internal/distributed/proxy/httpserver/utils.go.orig
+++ internal/distributed/proxy/httpserver/utils.go
@@ -1749,7 +1749,7 @@
c.Writer.Header().Set("Access-Control-Allow-Headers", "Content-Type, Content-Length, Accept-Encoding, X-CSRF-Token, Authorization, accept, origin, Cache-Control, X-Requested-With")
c.Writer.Header().Set("Access-Control-Allow-Methods", "GET, HEAD, POST, PUT, DELETE, OPTIONS, PATCH")
c.Writer.Header().Set("Strict-Transport-Security", "max-age=31536000; includeSubDomains") // Ensures HTTPS usage

• c.Writer.Header().Set("X-Content-Type-Options", "nosniff") // Prevents MIME sniffing

• c.Writer.Header().Set("X-Content-Type-Options", "nosniff") // Prevents MIME sniffing
  if c.Request.Method == "OPTIONS" {
  c.AbortWithStatus(204)
  return
  make: *** [Makefile:156: fmt] Error 1

Some files have not been gofmt'd. To fix these errors,
copy and paste the following:
gofmt -s -w internal/distributed/proxy/httpserver/utils.go

[czs007]

It is recommended that Strict-Transport-Security, max-age, and includeSubDomains be made configurable. This way, open source users can modify them as needed.

[divyaruhil]

Thankyou @czs007 , for the review comments, i'll make the required changes.

[mergify]

@divyaruhil Thanks for your contribution. Please submit with DCO, see the contributing guide https://github.com/milvus-io/milvus/blob/master/CONTRIBUTING.md#developer-certificate-of-origin-dco.

[divyaruhil]

Hi @czs007, I've made the updates based on your review comments. Please let me know if there's anything else you'd like me to address.

[mergify]

@divyaruhil E2e jenkins job failed, comment /run-cpu-e2e can trigger the job again.

[mergify]

@divyaruhil go-sdk check failed, comment rerun go-sdk can trigger the job again.

[mergify]

@divyaruhil cpp-unit-test check failed, comment rerun cpp-unit-test can trigger the job again.

[mergify]

@divyaruhil E2e jenkins job failed, comment /run-cpu-e2e can trigger the job again.

[mergify]

@divyaruhil go-sdk check failed, comment rerun go-sdk can trigger the job again.

[mergify]

@divyaruhil cpp-unit-test check failed, comment rerun cpp-unit-test can trigger the job again.

[mergify]

@divyaruhil cpp-unit-test check failed, comment rerun cpp-unit-test can trigger the job again.

[divyaruhil]

Hey @czs007, When you have a moment, could you please take a look and review this? I'd really appreciate your feedback.

[sre-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: czs007, divyaruhil

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• configs/OWNERS [czs007]
• internal/distributed/OWNERS [czs007]
• pkg/util/OWNERS [czs007]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[czs007]

/lgtm

[divyaruhil]

Hi @czs007, thank you for approving the PR and for your help! It looks like the integration test is failing, but it doesn’t seem related to our changes. Would it be possible to re-trigger the test?

[divyaruhil]

hi @cydrain , can u please have a look at this PR , whenever your time allows and approve it for merging , also Integration test seems to be failing but that's not related to any of the changes we made , is there a way we can re-trigger it ?

[divyaruhil]

hi @czs007 , Please let me know if anything else is required from my end .

[czs007]

/lgtm