From 1aa0c2b84be62a20d8c37a11ad877e0a8a48c69d Mon Sep 17 00:00:00 2001 From: Ed Tanous Date: Tue, 8 Feb 2022 12:24:30 +0100 Subject: Add option for validating content-type header For systems implementing to the OWASP security guidelines[1] (of which all should ideally) we should be checking the content-type header all times that we parse a request as JSON. This commit adds an option for parsing content-type, and sets a default of "must get content-type". Ideally this would not be a breaking change, but given the number of guides and scripts that omit the content type, it seems worthwhile to add a trapdoor, such that people can opt into their own model on how they would like to see this checking work. Tested: ``` curl --insecure -H "Content-Type: application/json" -X POST -D headers.txt https://${bmc}/redfish/v1/SessionService/Sessions -d '{"UserName":"root", "Password":"0penBmc"}' ``` Succeeds. Removing Content-Type argument causes bmc to return Base.1.13.0.UnrecognizedRequestBody. [1] cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html Change-Id: Iaa47dd563b40036ff2fc2cacb70d941fd8853038 Signed-off-by: Ed Tanous --- meson_options.txt | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'meson_options.txt') diff --git a/meson_options.txt b/meson_options.txt index ecc7aebc22..52c3e6cefb 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -292,6 +292,17 @@ option( Redfish UpdateService. SimpleUpdate.''' ) +option( + 'insecure-ignore-content-type', + type: 'feature', + value: 'enabled', + description: '''Allows parsing PUT/POST/PATCH content as JSON regardless + of the presence of the content-type header. Enabling this + conflicts with the input parsing guidelines, but may be + required to support old clients that may not set the + Content-Type header on payloads.''' +) + option( 'insecure-push-style-notification', type: 'feature', -- cgit v1.2.3