summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorEd Tanous <edtanous@google.com>2022-03-24 20:25:03 +0300
committerEd Tanous <ed@tanous.net>2022-04-05 21:50:46 +0300
commitfa0b217fc0d4ec246d79055c463c1e7f573fd4c8 (patch)
treebc62e35b02f4d6e705d8821763fe84c5145707d4
parent456cd875f3c56b45605d8a017e91d810876a035c (diff)
downloadbmcweb-fa0b217fc0d4ec246d79055c463c1e7f573fd4c8.tar.xz
Add new option for query parameters
Query parameters in their initial incarnation will likely have security consequences. For example, requesting ServiceRoot with expand depth 999 would likely run most BMCs out of memory. This isn't a good reason to keep those features out of master, as there are a number of services (webui-vue for example) that would like to test against them, and identify the weaknesses. The goal with this option is to allow users to test, so we can determine things like the max depth we should support, which query params have security consequences and how to mitigate them, and other testing. The end goal would be for this option to be enabled by default. If it's removed entirely would depend on the impacts of supporting query params and is something we will have to discuss at a later date. Tested: Code compiles. Use of this option is added in next patchset in series. Signed-off-by: Ed Tanous <edtanous@google.com> Change-Id: I93ff31c938e4be2d92eb07b59a3288f8bacde2ac
-rw-r--r--bmcweb_config.h.in3
-rw-r--r--meson.build2
-rw-r--r--meson_options.txt1
3 files changed, 6 insertions, 0 deletions
diff --git a/bmcweb_config.h.in b/bmcweb_config.h.in
index 2e880fc68e..a8e4ccbc91 100644
--- a/bmcweb_config.h.in
+++ b/bmcweb_config.h.in
@@ -7,7 +7,10 @@
constexpr const int bmcwebInsecureDisableXssPrevention =
@BMCWEB_INSECURE_DISABLE_XSS_PREVENTION@;
+constexpr const bool bmcwebInsecureEnableQueryParams = @BMCWEB_INSECURE_ENABLE_QUERY_PARAMS@ == 1;
+
constexpr const size_t bmcwebHttpReqBodyLimitMb = @BMCWEB_HTTP_REQ_BODY_LIMIT_MB@;
constexpr const char* mesonInstallPrefix = "@MESON_INSTALL_PREFIX@";
+
// clang-format on
diff --git a/meson.build b/meson.build
index 8e6e83a068..cd90a0cb80 100644
--- a/meson.build
+++ b/meson.build
@@ -312,6 +312,8 @@ conf_data = configuration_data()
conf_data.set('BMCWEB_HTTP_REQ_BODY_LIMIT_MB', get_option('http-body-limit'))
xss_enabled = get_option('insecure-disable-xss')
conf_data.set10('BMCWEB_INSECURE_DISABLE_XSS_PREVENTION', xss_enabled.enabled())
+enable_redfish_query = get_option('insecure-enable-redfish-query')
+conf_data.set10('BMCWEB_INSECURE_ENABLE_QUERY_PARAMS', enable_redfish_query.enabled())
conf_data.set('MESON_INSTALL_PREFIX', get_option('prefix'))
conf_data.set('HTTPS_PORT', get_option('https_port'))
configure_file(input: 'bmcweb_config.h.in',
diff --git a/meson_options.txt b/meson_options.txt
index 46616585bb..5b4419d0e7 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -44,3 +44,4 @@ option ('insecure-disable-auth', type : 'feature', value : 'disabled', descripti
option ('insecure-disable-xss', type : 'feature', value : 'disabled', description : 'Disable XSS preventions')
option ('insecure-tftp-update', type : 'feature', value : 'disabled', description : '''Enable TFTP based firmware update transactions through Redfish UpdateService.SimpleUpdate.''')
option ('insecure-push-style-notification',type : 'feature', value : 'disabled', description : 'Enable HTTP push style eventing feature')
+option ('insecure-enable-redfish-query', type : 'feature', value : 'disabled', description : 'Enables Redfish query parameters. This feature is experimental, and has not been tested against the full limits of user-facing behavior. It is not recommended to enable on production systems at this time.')