shenyu icon indicating copy to clipboard operation
shenyu copied to clipboard

Published 20 hours ago verified publisher icon apache

[BUG] <Adjust the default execution order of plugins based on performance and security.>

Open lianjunwei opened this issue 1 year ago • 0 comments

Is there an existing issue for this?

  • [X] I have searched the existing issues

Current Behavior

image All current versions (including the master), the execution order of plugins, mock, and cache have been executed before sign (after completing mock, then cache, and then sign). For security reasons, authentication plugins should always be the earliest to execute. Therefore, there is a security bug in the current execution sequence. For example, I have a URL that requires signature authentication, which was authorized to Application A and cached after execution. During the cache validity period, other unauthorized applications can also access this URL (of course, if the request parameters are necessary, they must also be consistent), which is clearly a security vulnerability.

Expected Behavior

The execution order should be adjusted to balance security and performance, so the authentication role's plugins are executed earliest (Waf plugins have the highest priority), followed by cache, mock, and finally other types. image

If the adjustment shown in the above figure is reasonable, I am willing to submit a PR.

Steps To Reproduce

No response

Environment

ShenYu version(s):all versions.

Debug logs

No response

Anything else?

No response

lianjunwei avatar Jul 30 '23 01:07 lianjunwei