Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / bmcweb / 1aa0c2b84be62a20d8c37a11ad877e0a8a48c69d^! / . / redfish-core / lib / task.hpp
commit1aa0c2b84be62a20d8c37a11ad877e0a8a48c69d[log] [tgz]
authorEd Tanous <edtanous@google.com>Tue Feb 08 12:24:30 2022 +0100
committerEd Tanous <ed@tanous.net>Fri Feb 17 17:01:21 2023 +0000
tree60a3f45204bcc8947f25db6e64cc3cd5d01f0648
parent6177a301de5cefdb4a31601ec2d899f4309fc6c2 [diff] [blame]
Add option for validating content-type header

For systems implementing to the OWASP security guidelines[1] (of which all
should ideally) we should be checking the content-type header all times
that we parse a request as JSON.

This commit adds an option for parsing content-type, and sets a default
of "must get content-type".  Ideally this would not be a breaking
change, but given the number of guides and scripts that omit the content
type, it seems worthwhile to add a trapdoor, such that people can opt
into their own model on how they would like to see this checking work.

Tested:
```
curl --insecure -H "Content-Type: application/json" -X POST -D headers.txt https://${bmc}/redfish/v1/SessionService/Sessions -d    '{"UserName":"root", "Password":"0penBmc"}'
```

Succeeds.

Removing Content-Type argument causes bmc to return
Base.1.13.0.UnrecognizedRequestBody.

[1] cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html

Change-Id: Iaa47dd563b40036ff2fc2cacb70d941fd8853038
Signed-off-by: Ed Tanous <edtanous@google.com>

diff --git a/redfish-core/lib/task.hpp b/redfish-core/lib/task.hpp
index cfe6c3e..950eac3 100644
--- a/redfish-core/lib/task.hpp
+++ b/redfish-core/lib/task.hpp

@@ -19,6 +19,7 @@
 #include "dbus_utility.hpp"
 #include "event_service_manager.hpp"
 #include "health.hpp"
+#include "http/parsing.hpp"
 #include "query.hpp"
 #include "registries/privilege_registry.hpp"
 #include "task_messages.hpp"
@@ -47,8 +48,7 @@
 {
     explicit Payload(const crow::Request& req) :
         targetUri(req.url), httpOperation(req.methodString()),
-        httpHeaders(nlohmann::json::array()),
-        jsonBody(nlohmann::json::parse(req.body, nullptr, false))
+        httpHeaders(nlohmann::json::array())
     {
         using field_ns = boost::beast::http::field;
         constexpr const std::array<boost::beast::http::field, 7>
@@ -57,9 +57,10 @@
                                field_ns::connection, field_ns::content_length,
                                field_ns::upgrade};
 
-        if (jsonBody.is_discarded())
+        JsonParseResult ret = parseRequestAsJson(req, jsonBody);
+        if (ret != JsonParseResult::Success)
         {
-            jsonBody = nullptr;
+            return;
         }
 
         for (const auto& field : req.fields)