quarkus icon indicating copy to clipboard operation
quarkus copied to clipboard

Published 20 hours ago verified publisher icon quarkusio

Allow to configure`disableURIValidation` for vertx http

Open ia3andy opened this issue 1 year ago • 8 comments

Description

Currently vertx.disableURIValidation is a hidden flag used in the vertx http recorder: https://github.com/quarkusio/quarkus/blob/main/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/VertxHttpRecorder.java#L117

We now have a use case for it in dev mode (Quinoa): https://github.com/quarkiverse/quarkus-quinoa/issues/591#issuecomment-1860022295

So we should provide a way to configure it from Quarkus config.

Implementation ideas

We could keep backward compat on this with the system props: disabled if Boolean.getBoolean("vertx.disableURIValidation") or quarkus.http.disableURIValidation from config

ia3andy avatar Dec 18 '23 10:12 ia3andy

This issue is related (and could be fixed at once): https://github.com/quarkusio/quarkus/issues/37789

ia3andy avatar Dec 18 '23 10:12 ia3andy

Due to how core VertxHttpRecorder.ACTUAL_ROOT really is, we can't really introduce a Quarkus specific property without either breaking a bunch of things or making the performance of the HTTP layer worse. So I would go with just documenting that flag for Quinoa users

geoand avatar Dec 18 '23 10:12 geoand

disableURIValidation is not exposed for a reason: you want to validate URI. It's an attack vector.

cescoffier avatar Jan 22 '24 07:01 cescoffier

disableURIValidation is not exposed for a reason: you want to validate URI. It's an attack vector.

@cescoffier it's not entirely true

The Java implementation or URI seems to not be following the RFC.

Have a look to what OkHttp did on this topic: https://github.com/square/okhttp/issues/1044

ia3andy avatar Feb 19 '24 07:02 ia3andy

Hum, defining our own URI/URL class and following all the RFCs, that's looks lengthy and risky.

cescoffier avatar Feb 19 '24 09:02 cescoffier

@cescoffier I agree, not sure what the best way forward.

As the current issue is with dev-mode, maybe we could have an option to disable it only in dev-mode?

ia3andy avatar Feb 19 '24 09:02 ia3andy

Hum, defining our own URI/URL class and following all the RFCs, that's looks lengthy and risky.

That's what I said also, specifically that I personally would not develop or maintain such a thing :)

geoand avatar Feb 19 '24 09:02 geoand

@ia3andy LEt me think a bit about it. We need to be absolutely sure we do not open an attack vector. Dev mode in a networked environment can be problematic (not sure about remote dev mode).

cescoffier avatar Feb 19 '24 09:02 cescoffier

Too risky.

cescoffier avatar Mar 11 '24 07:03 cescoffier