Skip to content

[Extensions] How to ensure REST Requests passed extension do not expose sensitive information? #4429

Open
Open
[Extensions] How to ensure REST Requests passed extension do not expose sensitive information?#4429
Labels
discussIssues intended to help drive brainstorming and decision makingenhancementEnhancement or improvement to existing feature or request
@peternied

Description

@peternied
peternied
opened on Sep 6, 2022

Is your feature request related to a problem? Please describe.
When recieving a REST API request that is registered to an extension parts of the request are serialized and sent to the extension so they can be processed. This is limited at the moment, but in the future extensions might need header information or other potentially sensitive properties.

How should we ensure that extensions only get limited information to keep there access properly limited?

Nightmare scenario: Extension gets the headers from a REST API request to OpenSearch, included is the Authentication header, the extension then impersonates the user using their permissions.

Describe the solution you'd like
Unsure

Describe alternatives you've considered
Don't forward any headers of any kind - might be too limiting

Have a specific list of allowed headers to provide - manually inspect this list to ensure it doesn't include COOKIE or AUTHENITICATION

Additional context
#4415 (comment)

Metadata

Metadata

Assignees

No one assigned

    Labels

    discussIssues intended to help drive brainstorming and decision makingenhancementEnhancement or improvement to existing feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions