Skip to content

cubeapi: forward X-Request-Method to auth callback#315

Open
ls-ggg wants to merge 1 commit into
TencentCloud:masterfrom
ls-ggg:coolli/fix-auth-callback-missing-method
Open

cubeapi: forward X-Request-Method to auth callback#315
ls-ggg wants to merge 1 commit into
TencentCloud:masterfrom
ls-ggg:coolli/fix-auth-callback-missing-method

Conversation

@ls-ggg
Copy link
Copy Markdown
Collaborator

@ls-ggg ls-ggg commented May 20, 2026

The auth callback only received X-Request-Path, not the HTTP method. Routes like /templates/:id and /sandboxes/:id multiplex multiple methods (GET/POST/DELETE/PATCH) on the same path, so a callback that whitelists by path alone cannot distinguish read from write/delete operations -- a caller with read-only credentials could escalate to delete/rebuild.

Fix: add X-Request-Method header to every outgoing callback POST so the callback implementation can enforce fine-grained (path + method) authz.

Changes:

  • middleware/auth.rs: forward X-Request-Method in callback POST request
  • config/mod.rs: update auth_callback_url doc comment with new header and privilege-escalation security note
  • tracing log fields: add method to debug/warn entries
  • 6 new unit tests covering GET-vs-DELETE same-path regression, path forwarding, rejection 401, no-callback passthrough, missing credential, and POST/PATCH write-method forwarding
  • docs/guide/authentication.md: add X-Request-Method to callback format table, update flow diagram, add warning block about path-only authz risk, rewrite example callback with path+method fine-grained authz
  • docs/zh/guide/authentication.md: same updates in Chinese

@ls-ggg
cubeapi: forward X-Request-Method to auth callback
0a12cf2 
The auth callback only received X-Request-Path, not the HTTP method.
Routes like /templates/:id and /sandboxes/:id multiplex multiple methods
(GET/POST/DELETE/PATCH) on the same path, so a callback that whitelists
by path alone cannot distinguish read from write/delete operations --
a caller with read-only credentials could escalate to delete/rebuild.

Fix: add X-Request-Method header to every outgoing callback POST so the
callback implementation can enforce fine-grained (path + method) authz.

Changes:
- middleware/auth.rs: forward X-Request-Method in callback POST request
- config/mod.rs: update auth_callback_url doc comment with new header
  and privilege-escalation security note
- tracing log fields: add method to debug/warn entries
- 6 new unit tests covering GET-vs-DELETE same-path regression, path
  forwarding, rejection 401, no-callback passthrough, missing credential,
  and POST/PATCH write-method forwarding
- docs/guide/authentication.md: add X-Request-Method to callback format
  table, update flow diagram, add warning block about path-only authz
  risk, rewrite example callback with path+method fine-grained authz
- docs/zh/guide/authentication.md: same updates in Chinese

Signed-off-by: ls-ggg <335814617@qq.com>
@ls-ggg ls-ggg force-pushed the coolli/fix-auth-callback-missing-method branch from 9fcd47b to 0a12cf2 Compare May 20, 2026 02:53
@ls-ggg
Copy link
Copy Markdown
Collaborator Author

ls-ggg commented May 20, 2026

/cubebot cr

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 20, 2026
edited
Loading

Claude finished @ls-ggg's task in 35s —— View job

I'll analyze this and get back to you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tinklone tinklone Awaiting requested review from tinklone tinklone is a code owner

@fslongjin fslongjin Awaiting requested review from fslongjin fslongjin is a code owner

@up2wing up2wing Awaiting requested review from up2wing up2wing is a code owner

@chenhengqi chenhengqi Awaiting requested review from chenhengqi chenhengqi is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ls-ggg