dave2wave commented on code in PR #799:
URL:
https://github.com/apache/tooling-trusted-releases/pull/799#discussion_r2875228529
##########
atr/server.py:
##########
@@ -525,6 +525,26 @@ def _app_setup_security_headers(app: base.QuartApp) ->
None:
]
)
+ @app.before_request
+ async def validate_sec_fetch_headers() -> None:
+ if quart.request.path.startswith("/api") and (
+ not (quart.request.path.startswith("/api/docs") or
quart.request.path.startswith("/api/openapi.json"))
+ ):
+ sec_fetch_dest = quart.request.headers.get("Sec-Fetch-Dest", "")
+ if sec_fetch_dest in ("document", "embed", "object", "frame",
"iframe"):
+ raise base.ASFQuartException(
+ "Forbibben: browser navigation to API endpoints is not
permitted", errorcode=403
+ )
+
+ if quart.request.method in ("POST", "PUT", "DELETE", "PATCH"):
Review Comment:
With this if clause the end to end tests fail. I can't retest easily because
I am unable to start my local with this branch. There is some issue with db
migration.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
