Merge pull request #449 from yetanalytics/ban-admin-prefix

[SQL-274] Prevent user from setting `LRSQL_URL_PREFIX` to `/admin`
yetanalytics · Jan 14, 2025 · 27e4ac4 · 27e4ac4
2 parents 5dde8e7 + 99d02f1
commit 27e4ac4
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 1 deletion.
diff --git a/doc/env_vars.md b/doc/env_vars.md
@@ -123,7 +123,7 @@ _NOTE:_ `LRSQL_STMT_RETRY_LIMIT` and `LRSQL_STMT_RETRY_BUDGET` are used to mitig
 | `LRSQL_HTTP_HOST`                 | `httpHost`               | The host that the webserver will run on.                                                                                                                                                                                                               | `0.0.0.0` |
 | `LRSQL_HTTP_PORT`                 | `httpPort`               | The HTTP port that the webserver will be open on.                                                                                                                                                                                                      | `8080`    |
 | `LRSQL_SSL_PORT`                  | `sslPort`                | The HTTPS port that the webserver will be open on.                                                                                                                                                                                                     | `8443`    |
-| `LRSQL_URL_PREFIX`                | `urlPrefix`              | The prefix of the webserver URL path, e.g. the prefix in `http://0.0.0.0:8080/xapi` is `/xapi`. Used when constructing the `more` value for multi-statement queries. *(Note: Only applies to LRS xapi endpoints, not admin/ui endpoints)*              | `/xapi`   |
+| `LRSQL_URL_PREFIX`                | `urlPrefix`              | The prefix of the webserver URL path, e.g. the prefix in `http://0.0.0.0:8080/xapi` is `/xapi`. Used when constructing the `more` value for multi-statement queries. Cannot start with `/admin`. *(Note: Only applies to LRS xapi endpoints, not admin/ui endpoints)*              | `/xapi`   |
 | `LRSQL_PROXY_PATH`                | `proxyPath`              | This path modification is exclusively for use with a proxy, such as apache or nginx or a load balancer, where a path is added to prefix the entire application (such as `https://www.mysystem.com/mylrs/xapi/statements`). This does not actually change the routes of the application, it informs the admin frontend where to look for the server endpoints based on the proxied setup, and thus must be used in conjunction with a third party proxy. If used, the value must start with a leading `/` but not end with one (e.g. `/mylrs` is valid, as is `/mylrs/b` but `/mylrs/` is not). Use with caution. | Not Set |
 
 #### TLS/SSL Certificate

diff --git a/src/main/lrsql/spec/config.clj b/src/main/lrsql/spec/config.clj
@@ -1,5 +1,6 @@
 (ns lrsql.spec.config
   (:require [clojure.spec.alpha :as s]
+            [clojure.string :as cstr]
             [xapi-schema.spec :as xs]
             [lrsql.spec.util :as u]))
 
@@ -107,6 +108,14 @@
            [{:keys [pool-validation-timeout pool-connection-timeout]}]
            (< pool-validation-timeout pool-connection-timeout))))
 
+(defn- prefix? [s]
+  (cstr/starts-with? s "/"))
+
+(defn- not-admin-prefix? [s]
+  (not (cstr/starts-with? s "/admin")))
+
+(s/def ::stmt-url-prefix (s/and string? prefix? not-admin-prefix?))
+
 (s/def ::admin-user-default string?)
 (s/def ::admin-pass-default string?)
 
@@ -147,6 +156,7 @@
 (s/def ::http-host string?)
 (s/def ::http-port nat-int?)
 (s/def ::ssl-port nat-int?)
+(s/def ::url-prefix ::stmt-url-prefix)
 
 (s/def ::allow-all-origins boolean?)
 (s/def ::allowed-origins (s/nilable (s/coll-of string?)))