Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

replace term whitelist with allowlist #806

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 8 additions & 8 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -92,13 +92,13 @@ server.start();

## Using Node/npm Dependencies

### Whitelisting Packages
### Allowlisting Packages

When your app is running in FastBoot, it may need to use Node packages
to replace features that are available only in the browser.

For security reasons, your Ember app running in FastBoot can only access
packages that you have explicitly whitelisted.
packages that you have explicitly listed as allowed.

To allow your app to require a package, add it to the
`fastbootDependencies` array in your app's `package.json`:
Expand Down Expand Up @@ -132,14 +132,14 @@ hash.** Built-in modules (`path`, `fs`, etc.) only need to be added to

From your Ember.js app, you can run `FastBoot.require()` to require a
package. This is identical to the CommonJS `require` except it checks
all requests against the whitelist first.
all requests against the allowlist first.

```js
let path = FastBoot.require('path');
let filePath = path.join('tmp', session.getID());
```

If you attempt to require a package that is not in the whitelist,
If you attempt to require a package that is not in the allowlist,
FastBoot will raise an exception.

Note that the `FastBoot` global is **only** available when running in
Expand Down Expand Up @@ -273,23 +273,23 @@ module.exports = function(environment) {
},

fastboot: {
hostWhitelist: ['example.com', 'subdomain.example.com', /^localhost:\d+$/]
hostAllowlist: ['example.com', 'subdomain.example.com', /^localhost:\d+$/]
}
};
// ...
};
```

The `hostWhitelist` can be a string or RegExp to match multiple hosts.
The `hostAllowlist` can be a string or RegExp to match multiple hosts.
Care should be taken when using a RegExp, as the host function relies on
the `Host` HTTP header, which can be forged. You could potentially allow
a malicious request if your RegExp is too permissive when using the `host`
when making subsequent requests.

Retrieving `host` will error on 2 conditions:

1. you do not have a `hostWhitelist` defined
2. the `Host` header does not match an entry in your `hostWhitelist`
1. you do not have a `hostAllowlist` defined
2. the `Host` header does not match an entry in your `hostAllowlist`

### Query Parameters

Expand Down
2 changes: 1 addition & 1 deletion packages/ember-cli-fastboot/fastboot/initializers/ajax.js
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ var nodeAjax = function(options) {
try {
options.url = protocol + '//' + get(this, 'fastboot.request.host') + options.url;
} catch (fbError) {
throw new Error('You are using Ember Data with no host defined in your adapter. This will attempt to use the host of the FastBoot request, which is not configured for the current host of this request. Please set the hostWhitelist property for in your environment.js. FastBoot Error: ' + fbError.message);
throw new Error('You are using Ember Data with no host defined in your adapter. This will attempt to use the host of the FastBoot request, which is not configured for the current host of this request. Please set the hostAllowlist property for in your environment.js. FastBoot Error: ' + fbError.message);
}
}

Expand Down
2 changes: 1 addition & 1 deletion packages/ember-cli-fastboot/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -239,7 +239,7 @@ module.exports = {

/**
* Need to handroll our own clone algorithm since JSON.stringy changes regex
* to empty objects which breaks hostWhiteList property of fastboot.
* to empty objects which breaks hostAllowList property of fastboot.
*
* @param {Object} config
*/
Expand Down
24 changes: 12 additions & 12 deletions packages/ember-cli-fastboot/lib/broccoli/fastboot-config.js
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ module.exports = class FastBootConfig extends Plugin {
this.buildConfig();
this.buildDependencies();
this.buildManifest();
this.buildHostWhitelist();
this.buildHostAllowlist();

let outputPath = path.join(this.outputPath, 'package.json');
this.writeFileIfContentChanged(outputPath, this.toJSONString());
Expand Down Expand Up @@ -85,7 +85,7 @@ module.exports = class FastBootConfig extends Plugin {

buildDependencies() {
let dependencies = {};
let moduleWhitelist = [];
let moduleAllowlist = [];
let ui = this.ui;

eachAddonPackage(this.project, pkg => {
Expand All @@ -101,7 +101,7 @@ module.exports = class FastBootConfig extends Plugin {
return;
}

moduleWhitelist.push(dep);
moduleAllowlist.push(dep);

if (version) {
dependencies[dep] = version;
Expand All @@ -115,7 +115,7 @@ module.exports = class FastBootConfig extends Plugin {

if (projectDeps) {
projectDeps.forEach(dep => {
moduleWhitelist.push(dep);
moduleAllowlist.push(dep);

let version = pkg.dependencies && pkg.dependencies[dep];
if (version) {
Expand All @@ -125,7 +125,7 @@ module.exports = class FastBootConfig extends Plugin {
}

this.dependencies = dependencies;
this.moduleWhitelist = uniq(moduleWhitelist);
this.moduleAllowlist = uniq(moduleAllowlist);
}

updateFastBootManifest(manifest) {
Expand Down Expand Up @@ -160,32 +160,32 @@ module.exports = class FastBootConfig extends Plugin {
this.manifest = this.updateFastBootManifest(manifest);
}

buildHostWhitelist() {
buildHostAllowlist() {
if (this.fastbootAppConfig) {
this.hostWhitelist = this.fastbootAppConfig.hostWhitelist;
this.hostAllowlist = this.fastbootAppConfig.hostAllowlist;
}
}

toJSONString() {
return stringify({
dependencies: this.dependencies,
fastboot: {
moduleWhitelist: this.moduleWhitelist,
moduleAllowlist: this.moduleAllowlist,
schemaVersion: LATEST_SCHEMA_VERSION,
manifest: this.manifest,
hostWhitelist: this.normalizeHostWhitelist(),
hostAllowlist: this.normalizeHostAllowlist(),
config: this.fastbootConfig,
appName: this.appName,
}
}, null, 2);
}

normalizeHostWhitelist() {
if (!this.hostWhitelist) {
normalizeHostAllowlist() {
if (!this.hostAllowlist) {
return;
}

return this.hostWhitelist.map(function(entry) {
return this.hostAllowlist.map(function(entry) {
// Is a regex
if (entry.source) {
return '/' + entry.source + '/';
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ module.exports = function(environment) {
},

fastboot: {
hostWhitelist: ['example.com', 'subdomain.example.com', /localhost:\d+/]
hostAllowlist: ['example.com', 'subdomain.example.com', /localhost:\d+/]
}
};

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ module.exports = function(environment) {
modulePrefix: 'fastboot-location-config',
fastboot: {
fastbootHeaders: false,
hostWhitelist: [/localhost:\d+/],
hostAllowlist: [/localhost:\d+/],
redirectCode: 302,
}
};
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ module.exports = function(environment) {
modulePrefix: 'fastboot-location',
fastboot: {
fastbootHeaders: true,
hostWhitelist: [/localhost:\d+/]
hostAllowlist: [/localhost:\d+/]
}
};

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ module.exports = function(environment) {
},

fastboot: {
hostWhitelist: ['example.com', 'subdomain.example.com', /localhost:\d+/]
hostAllowlist: ['example.com', 'subdomain.example.com', /localhost:\d+/]
}
};

Expand Down
6 changes: 3 additions & 3 deletions packages/ember-cli-fastboot/test/new-package-json-test.js
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ describe('FastbootConfig', function() {
expect(
output.read()
).to.deep.equal({
'package.json': `{"dependencies":{},"fastboot":{"appName":"app","config":{"app":{"modulePrefix":"app"}},"manifest":{"appFiles":["app.js","app-fastboot.js"],"htmlFile":"index.html","vendorFiles":["vendor.js"]},"moduleWhitelist":[],"schemaVersion":3}}`
'package.json': `{"dependencies":{},"fastboot":{"appName":"app","config":{"app":{"modulePrefix":"app"}},"manifest":{"appFiles":["app.js","app-fastboot.js"],"htmlFile":"index.html","vendorFiles":["vendor.js"]},"moduleAllowlist":[],"schemaVersion":3}}`
});

yield output.build();
Expand Down Expand Up @@ -84,7 +84,7 @@ describe('FastbootConfig', function() {
expect(
output.read()
).to.deep.equal({
'package.json': `{"dependencies":{"apple":"*","orange":"^1.0.0"},"fastboot":{"appName":"app","config":{"app":{"modulePrefix":"app"}},"manifest":{"appFiles":["app.js","app-fastboot.js"],"htmlFile":"index.html","vendorFiles":["vendor.js"]},"moduleWhitelist":["apple","orange"],"schemaVersion":3}}`
'package.json': `{"dependencies":{"apple":"*","orange":"^1.0.0"},"fastboot":{"appName":"app","config":{"app":{"modulePrefix":"app"}},"manifest":{"appFiles":["app.js","app-fastboot.js"],"htmlFile":"index.html","vendorFiles":["vendor.js"]},"moduleAllowlist":["apple","orange"],"schemaVersion":3}}`
});

project.pkg.fastbootDependencies = [
Expand All @@ -107,7 +107,7 @@ describe('FastbootConfig', function() {
expect(
output.read()
).to.deep.equal({
'package.json': `{"dependencies":{"apple":"^3.0.0","orange":"^1.0.0"},"fastboot":{"appName":"app","config":{"app":{"modulePrefix":"app"}},"manifest":{"appFiles":["app.js","app-fastboot.js"],"htmlFile":"index.html","vendorFiles":["vendor.js"]},"moduleWhitelist":["apple","orange"],"schemaVersion":3}}`
'package.json': `{"dependencies":{"apple":"^3.0.0","orange":"^1.0.0"},"fastboot":{"appName":"app","config":{"app":{"modulePrefix":"app"}},"manifest":{"appFiles":["app.js","app-fastboot.js"],"htmlFile":"index.html","vendorFiles":["vendor.js"]},"moduleAllowlist":["apple","orange"],"schemaVersion":3}}`
});
}));
});
2 changes: 1 addition & 1 deletion test-packages/basic-app/config/environment.js
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ module.exports = function(environment) {
},

fastboot: {
hostWhitelist: [
hostAllowlist: [
'example.com',
'subdomain.example.com',
'/localhost:\\d+/',
Expand Down
10 changes: 5 additions & 5 deletions test-packages/basic-app/test/package-json-test.js
Original file line number Diff line number Diff line change
Expand Up @@ -39,10 +39,10 @@ describe("generating package.json", function () {
expect(pkg.fastboot.schemaVersion).to.deep.equal(3);
});

it("contains a whitelist of allowed module names", function () {
it("contains a list of allowed module names", function () {
let pkg = fs.readJSONSync("dist/package.json");

expect(pkg.fastboot.moduleWhitelist).to.deep.equal([
expect(pkg.fastboot.moduleAllowlist).to.deep.equal([
"node-fetch",
"abortcontroller-polyfill",
"abortcontroller-polyfill/dist/cjs-ponyfill",
Expand Down Expand Up @@ -73,10 +73,10 @@ describe("generating package.json", function () {
});
});

it("contains a list of whitelisted hosts from environment.js", function () {
it("contains a list of allowed hosts from environment.js", function () {
let pkg = fs.readJSONSync("dist/package.json");

expect(pkg.fastboot.hostWhitelist).to.deep.equal([
expect(pkg.fastboot.hostAllowlist).to.deep.equal([
"example.com",
"subdomain.example.com",
"/localhost:\\d+/",
Expand Down Expand Up @@ -117,7 +117,7 @@ describe("generating package.json", function () {
autoboot: false,
},
fastboot: {
hostWhitelist: [
hostAllowlist: [
"example.com",
"subdomain.example.com",
"/localhost:\\d+/",
Expand Down