mirrors/lnd
1
0
Fork 0
mirror of https://github.com/lightningnetwork/lnd.git synced 2025-02-21 22:11:41 +01:00
Code Issues Projects Releases Wiki Activity

lnd: disable REST proxy HTTP method fallback

Browse source 
It turns out that when a REST call to an endpoint (in this specific
example /v1/payments, which for GET returns all payments but for DELETE
removes all payments) is made with POST instead of the correct
registered method, the grpc-gateway tried to find a fallback method.
That resulted in randomly choosing between any of the calls with the
same URI pattern.
This is of course catasrophic if the user attempts to query the list of
payments (but using POST instead of GET by accident) and then ending up
calling the DELETE endpoint instead.
This commit is contained in:
Oliver Gugger 2022-03-23 17:40:35 +01:00
parent 929a5654ee
commit 1dc2a394e6
No known key found for this signature in database
GPG key ID: 8E4256593F177720
1 changed files with 10 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
lnd.go
View file

@ -973,7 +973,16 @@ func startRestProxy(cfg *Config, rpcServer *rpcServer, restDialOpts []grpc.DialO
},
},
)
mux := proxy.NewServeMux(customMarshalerOption)
mux := proxy.NewServeMux(
customMarshalerOption,
// Don't allow falling back to other HTTP methods, we want exact
// matches only. The actual method to be used can be overwritten
// by setting X-HTTP-Method-Override so there should be no
// reason for not specifying the correct method in the first
// place.
proxy.WithDisablePathLengthFallback(),
)
// Register our services with the REST proxy.
err := lnrpc.RegisterStateHandlerFromEndpoint(