[HTTP] Only allow setting server.restrictInternalApis on serverless (#162475)

2025-04-23 09:19:04 -04:00 · 2023-07-25 17:56:56 +02:00 · 2023-07-25 17:56:56 +02:00 · 492cfdfe3a
commit 492cfdfe3a
parent 0f7129d678
3 changed files with 38 additions and 3 deletions
--- a/packages/core/http/core-http-server-internal/src/snapshots/http_config.test.ts.snap
+++ b/packages/core/http/core-http-server-internal/src/snapshots/http_config.test.ts.snap
@ -77,7 +77,6 @@ Object {
    "allowFromAnyIp": false,
    "ipAllowlist": Array [],
  },
-  "restrictInternalApis": false,
  "rewriteBasePath": false,
  "securityResponseHeaders": Object {
    "crossOriginOpenerPolicy": "same-origin",
--- a/packages/core/http/core-http-server-internal/src/http_config.test.ts
+++ b/packages/core/http/core-http-server-internal/src/http_config.test.ts
@ -509,6 +509,27 @@ describe('versioned', () => {
  });
 });

+describe('restrictInternalApis', () => {
+  it('is only allowed on serverless', () => {
+    expect(() => config.schema.validate({ restrictInternalApis: false }, {})).toThrow(
+      /a value wasn't expected/
+    );
+    expect(() => config.schema.validate({ restrictInternalApis: true }, {})).toThrow(
+      /a value wasn't expected/
+    );
+    expect(
+      config.schema.validate({ restrictInternalApis: true }, { serverless: true })
+    ).toMatchObject({
+      restrictInternalApis: true,
+    });
+  });
+  it('defaults to false', () => {
+    expect(
+      config.schema.validate({ restrictInternalApis: undefined }, { serverless: true })
+    ).toMatchObject({ restrictInternalApis: false });
+  });
+});
+
 describe('HttpConfig', () => {
  it('converts customResponseHeaders to strings or arrays of strings', () => {
    const httpSchema = config.schema;
@ -535,4 +556,11 @@ describe('HttpConfig', () => {
      nested: '{"foo":1,"bar":"dolly"}',
    });
  });
+
+  it('defaults restrictInternalApis to false', () => {
+    const rawConfig = config.schema.validate({}, {});
+    const rawCspConfig = cspConfig.schema.validate({});
+    const httpConfig = new HttpConfig(rawConfig, rawCspConfig, ExternalUrlConfig.DEFAULT);
+    expect(httpConfig.restrictInternalApis).toBe(false);
+  });
 });
--- a/packages/core/http/core-http-server-internal/src/http_config.ts
+++ b/packages/core/http/core-http-server-internal/src/http_config.ts
@ -167,7 +167,14 @@ const configSchema = schema.object(
        },
      }
    ),
-    restrictInternalApis: schema.boolean({ defaultValue: false }), // allow access to internal routes by default to prevent breaking changes in current offerings
+    // allow access to internal routes by default to prevent breaking changes in current offerings
+    restrictInternalApis: schema.conditional(
+      schema.contextRef('serverless'),
+      true,
+      schema.boolean({ defaultValue: false }),
+      schema.never()
+    ),
+
    versioned: schema.object({
      /**
       * Which handler resolution algo to use: "newest" or "oldest".
@ -316,7 +323,8 @@ export class HttpConfig implements IHttpConfig {
    this.requestId = rawHttpConfig.requestId;
    this.shutdownTimeout = rawHttpConfig.shutdownTimeout;

-    this.restrictInternalApis = rawHttpConfig.restrictInternalApis;
+    // default to `false` to prevent breaking changes in current offerings
+    this.restrictInternalApis = rawHttpConfig.restrictInternalApis ?? false;
    this.eluMonitor = rawHttpConfig.eluMonitor;
    this.versioned = rawHttpConfig.versioned;
  }