Update HttpxBroker to protocol 0.3 query semantics#7
Merged
Conversation
The sample broker still refused ALL queries (the 0.2.3 interim defense), now over-strict: since 0.3 the query is folded into the action fingerprint, so it is part of the authorised action. The broker now forwards the fingerprint-bound query (fingerprinted_url already includes it) and refuses only a URL #fragment (has_fragment) — matching delego's shipped NullBroker and HTTPProxyBroker. Accepts the optional §9 token kwarg (in-process broker trusts the decision; a separated gateway would verify). requirements: delego >= 0.3.0. New tests/test_broker.py: query forwarded, fragment refused, clean sent, token accepted.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The sample app's
HttpxBrokerstill refused all query strings — the 0.2.3 interim confused-deputy defense. As of delego 0.3 that's over-strict: the query is folded into theaction_fingerprint, so/orders?to=meand/orders?to=attackerare different authorised actions and the broker should forward the query of the one it was given.Changes
app/broker.py: refuse onhas_fragment(nothas_query); forward viafingerprinted_url, which since 0.3 includes the query. Matches delego's shippedNullBroker/HTTPProxyBroker. Accepts the optionaltoken=kwarg (the §9 profile; an in-process broker trusts the decision and doesn't verify — a separated gateway would, viadelego.verify_token).app/main.py: theBrokerRefusalhandler comment now says #fragment, not query string.requirements.txt:delego>=0.3.0(needshas_fragment+ the query-bearingfingerprinted_url).tests/test_broker.py(new): query forwarded, fragment refused (nothing sent), clean action sent, token kwarg accepted — httpx client stubbed, no network.Verification
pytest -qgreen (11 tests: 4 new + 7 existing) against the published delego 0.3.3.