vertx-web icon indicating copy to clipboard operation
vertx-web copied to clipboard
verified publisher icon vert-x3

Limit query parameters to OpenAPI defined set in vertx-web-openapi

Open Stwissel opened this issue 4 years ago • 1 comments

Describe the feature

When using OpenAPI3, one can set a parameter in the schema:

     additionalProperties: false

Works like a charm, but only for body content. Additional query, cookie, or header parameters are passed through to the handler code (Path parameters aren't an issue, since unknown parameters are invalid urls anyway). I'd like to have a possibility (RouterBuilderOption?) to check for undefined query parameters and either filter them or 400 them. This option should be configurable per parameter type

Use cases

Reduce a potential attack surface when operations are run against all parameters. Enforce precise requests, rejecting "probing"

Contribution

I suspect it is an extension to the Webvalidation handler (?) Happy to help once I know where.

Stwissel avatar Oct 25 '21 12:10 Stwissel

As a hack, when using vert.x-web-openapi, you can

  • Get the query params in the request
  • Get the query params defined by the OpenAPI spec and from the ValidationHandler - this will only have the query params and values defined in the spec

and then filter out all query params in the request that are not defined in the OpenAPI spec.

    Set<String> queryParamsInRequest = context.queryParams().names();
    
    // https://vertx.io/docs/vertx-web-validation/java/#_using_the_parsed_parameters_and_body
    RequestParameters paramsFromOasValidation = context.get(ValidationHandler.REQUEST_CONTEXT_KEY);

    // RequestParameters.toJson() is a JSON object containing headers, query params and paths for all 
    // entities that are defined in the OpenAPI spec
    Set<String> allParamDefinedInOas =
        paramsFromOasValidation.toJson().getJsonObject("query").fieldNames();

    Set<String> badQueryParams = queryParamsInRequest.stream()
        .filter(p -> !allParamDefinedInOas.contains(p)).collect(Collectors.toSet());

    if (!badQueryParams.isEmpty()) {
      context.response().setStatusCode(400).end("Invalid query params - " + badQueryParams);
    } else {
      context.end();
    }

ThorodanBrom avatar Jan 17 '24 07:01 ThorodanBrom

Hi, there is a complete new rebuild of the OpenAPI Router [1], which hopefully solves the problem. Please check out if this works for you.

I am closing this issue now, as the ticket refers to a version of OpenAPI Router that is no longer supported. If the bug still occurs with the new OpenAPI router version, I would be very happy if you would open a new issue.

[1] https://vertx.io/docs/vertx-web-openapi-router/java/

pk-work avatar Apr 26 '24 09:04 pk-work