Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: now WAF bypass token header is forwarded #178

Merged
merged 10 commits into from
Aug 3, 2023
Merged

fix: now WAF bypass token header is forwarded #178

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
7fbebf1
fix: now WAF bypass token header is forwarded
nickytonline Jul 31, 2023
5c07680
chore: added logging when WAF_BYPASS_TOKEN_HEADER is found
nickytonline Aug 1, 2023
6481958
chore: trigger build
nickytonline Aug 1, 2023
e295095
chore: reworked logic to only add WAF bypass header on local images
nickytonline Aug 2, 2023
aef69e6
chore: reverted incomplete test I accidentally added
nickytonline Aug 2, 2023
24d2735
test: added tests for WAF fix
nickytonline Aug 2, 2023
ed72d5f
chore: test cleanup
nickytonline Aug 2, 2023
a1cc7f6
chore: test cleanup
nickytonline Aug 2, 2023
c3fd215
chore: fixed path for test
nickytonline Aug 3, 2023
f542109
chore: updated test description
nickytonline Aug 3, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 16 additions & 2 deletions src/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,12 @@ import { createIPX, handleRequest, IPXOptions } from 'ipx'
import { builder, Handler } from '@netlify/functions'
import { parseURL } from 'ufo'
import etag from 'etag'
import { loadSourceImage } from './http'
import { loadSourceImage as defaultLoadSourceImage } from './http'
import { decodeBase64Params, doPatternsMatchUrl, RemotePattern } from './utils'

// WAF is Web Application Firewall
const WAF_BYPASS_TOKEN_HEADER = 'X-Nf-Waf-Bypass-Token'

export interface IPXHandlerOptions extends Partial<IPXOptions> {
/**
* Path to cache directory
Expand Down Expand Up @@ -51,7 +55,7 @@ export function createIPXHandler ({
responseHeaders,
localPrefix,
...opts
}: IPXHandlerOptions = {}) {
}: IPXHandlerOptions = {}, loadSourceImage = defaultLoadSourceImage) {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this just to allow testing?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, that was the main reason, but we were already importing loadSourceImage, so why not compose instead.

const ipx = createIPX({ ...opts, dir: join(cacheDir, 'cache') })
if (!basePath.endsWith('/')) {
basePath = `${basePath}/`
Expand Down Expand Up @@ -94,8 +98,18 @@ export function createIPXHandler ({
const requestHeaders: Record<string, string> = {
[SUBREQUEST_HEADER]: '1'
}

const isLocal = !id.startsWith('http://') && !id.startsWith('https://')
if (isLocal) {
// This header is available to all lambdas that went through WAF
// We need to add it for local images (origin server) to be able to bypass WAF
if (event.headers[WAF_BYPASS_TOKEN_HEADER]) {
// eslint-disable-next-line no-console
console.log(`WAF bypass token found, setting ${WAF_BYPASS_TOKEN_HEADER} header to load source image`)
requestHeaders[WAF_BYPASS_TOKEN_HEADER] =
event.headers[WAF_BYPASS_TOKEN_HEADER]
}

const url = new URL(event.rawUrl)
url.pathname = id
if (localPrefix && !url.pathname.startsWith(localPrefix)) {
Expand Down
117 changes: 102 additions & 15 deletions test/index.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,24 @@ import test from 'ava'
import { readFile, statSync, emptyDir, readdirSync } from 'fs-extra'

import { createIPXHandler } from '../src/index'
import { CACHE_PRUNING_THRESHOLD } from '../src/http'
import { CACHE_PRUNING_THRESHOLD, SourceImageResult } from '../src/http'

function getHandlerContext () {
return {
functionName: 'ipx',
callbackWaitsForEmptyEventLoop: false,
functionVersion: '1',
invokedFunctionArn: '',
awsRequestId: '',
logGroupName: '',
logStreamName: '',
memoryLimitInMB: '',
getRemainingTimeInMillis: () => 1000,
done: () => { },
fail: () => { },
succeed: () => { }
}
}

test('source image cache pruning', async (t) => {
const filePath = join(__dirname, '..', 'example', 'public', 'img', 'test.jpg')
Expand Down Expand Up @@ -64,20 +81,7 @@ test('source image cache pruning', async (t) => {
isBase64Encoded: false,
body: null
},
{
functionName: 'ipx',
callbackWaitsForEmptyEventLoop: false,
functionVersion: '1',
invokedFunctionArn: '',
awsRequestId: '',
logGroupName: '',
logStreamName: '',
memoryLimitInMB: '',
getRemainingTimeInMillis: () => 1000,
done: () => { },
fail: () => { },
succeed: () => { }
}
getHandlerContext()
)
if (response) {
t.is(response.statusCode, 200)
Expand All @@ -96,3 +100,86 @@ test('source image cache pruning', async (t) => {
'cache size should not be equal to number of images * image size if we exceed threshold'
)
})

test('should add WAF headers to local images being transformed', async (t) => {
const handler = createIPXHandler({
basePath: '/_ipx/',
cacheDir: '/tmp/ipx-cache',
bypassDomainCheck: true
}, (sourceImageOptions) => {
t.assert(sourceImageOptions.requestHeaders && sourceImageOptions.requestHeaders['X-Nf-Waf-Bypass-Token'] === 'some token')

return Promise.resolve({ finalize: () => { } } as SourceImageResult)
})

await handler(
{
rawUrl: 'http://localhost:3000/some-path',
path: '/_ipx/w_500/no-file.jpg',
headers: { 'X-Nf-Waf-Bypass-Token': 'some token' },
rawQuery: '',
httpMethod: 'GET',
queryStringParameters: {},
multiValueQueryStringParameters: {},
multiValueHeaders: {},
isBase64Encoded: false,
body: null
},
getHandlerContext()
)
})

test('should not add WAF headers to remote images being transformed', async (t) => {
const handler = createIPXHandler({
basePath: '/_ipx/',
cacheDir: '/tmp/ipx-cache',
bypassDomainCheck: true
}, (sourceImageOptions) => {
t.assert(sourceImageOptions.requestHeaders && sourceImageOptions.requestHeaders['X-Nf-Waf-Bypass-Token'] === undefined)

return Promise.resolve({ finalize: () => { } } as SourceImageResult)
})

await handler(
{
rawUrl: 'http://localhost:3000/some-path',
path: '/_ipx/w_500/https%3A%2F%2Fsome-site.com%2Fno-file.jpg',
headers: { 'X-Nf-Waf-Bypass-Token': 'some token' },
rawQuery: '',
httpMethod: 'GET',
queryStringParameters: {},
multiValueQueryStringParameters: {},
multiValueHeaders: {},
isBase64Encoded: false,
body: null
},
getHandlerContext()
)
})
test('should not add WAF headers to local images if WAF is disabled', async (t) => {
const handler = createIPXHandler({
basePath: '/_ipx/',
cacheDir: '/tmp/ipx-cache',
bypassDomainCheck: true
}, (sourceImageOptions) => {
t.assert(sourceImageOptions.requestHeaders && sourceImageOptions.requestHeaders['X-Nf-Waf-Bypass-Token'] === undefined)

return Promise.resolve({ finalize: () => { } } as SourceImageResult)
})

await handler(
{
rawUrl: 'http://localhost:3000/some-path',
path: '/_ipx/w_500/no-file.jpg',
headers: {},
rawQuery: '',
httpMethod: 'GET',
queryStringParameters: {},
multiValueQueryStringParameters: {},
multiValueHeaders: {},
isBase64Encoded: false,
body: null
},
getHandlerContext()
)
})