Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Replace term whitelist with allowlist #817

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 8 additions & 8 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -92,13 +92,13 @@ server.start();

## Using Node/npm Dependencies

### Whitelisting Packages
### Allowlisting Packages

When your app is running in FastBoot, it may need to use Node packages
to replace features that are available only in the browser.

For security reasons, your Ember app running in FastBoot can only access
packages that you have explicitly whitelisted.
packages that you have explicitly listed as allowed.

To allow your app to require a package, add it to the
`fastbootDependencies` array in your app's `package.json`:
Expand Down Expand Up @@ -132,14 +132,14 @@ hash.** Built-in modules (`path`, `fs`, etc.) only need to be added to

From your Ember.js app, you can run `FastBoot.require()` to require a
package. This is identical to the CommonJS `require` except it checks
all requests against the whitelist first.
all requests against the allowlist first.

```js
let path = FastBoot.require('path');
let filePath = path.join('tmp', session.getID());
```

If you attempt to require a package that is not in the whitelist,
If you attempt to require a package that is not in the allowlist,
FastBoot will raise an exception.

Note that the `FastBoot` global is **only** available when running in
Expand Down Expand Up @@ -273,23 +273,23 @@ module.exports = function(environment) {
},

fastboot: {
hostWhitelist: ['example.com', 'subdomain.example.com', /^localhost:\d+$/]
hostAllowlist: ['example.com', 'subdomain.example.com', /^localhost:\d+$/]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You might have a pending commit to standardize the casing

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wouldn't be opposed to just making this Allowlist (lower case l) to ensure ease of migration

}
};
// ...
};
```

The `hostWhitelist` can be a string or RegExp to match multiple hosts.
The `hostAllowlist` can be a string or RegExp to match multiple hosts.
Care should be taken when using a RegExp, as the host function relies on
the `Host` HTTP header, which can be forged. You could potentially allow
a malicious request if your RegExp is too permissive when using the `host`
when making subsequent requests.

Retrieving `host` will error on 2 conditions:

1. you do not have a `hostWhitelist` defined
2. the `Host` header does not match an entry in your `hostWhitelist`
1. you do not have a `hostAllowlist` defined
2. the `Host` header does not match an entry in your `hostAllowlist`

### Query Parameters

Expand Down
2 changes: 1 addition & 1 deletion packages/ember-cli-fastboot/fastboot/initializers/ajax.js
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ var nodeAjax = function(options) {
try {
options.url = protocol + '//' + get(this, 'fastboot.request.host') + options.url;
} catch (fbError) {
throw new Error('You are using Ember Data with no host defined in your adapter. This will attempt to use the host of the FastBoot request, which is not configured for the current host of this request. Please set the hostWhitelist property for in your environment.js. FastBoot Error: ' + fbError.message);
throw new Error('You are using Ember Data with no host defined in your adapter. This will attempt to use the host of the FastBoot request, which is not configured for the current host of this request. Please set the hostAllowlist property for in your environment.js. FastBoot Error: ' + fbError.message);
}
}

Expand Down
2 changes: 1 addition & 1 deletion packages/ember-cli-fastboot/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -237,7 +237,7 @@ module.exports = {

/**
* Need to handroll our own clone algorithm since JSON.stringy changes regex
* to empty objects which breaks hostWhiteList property of fastboot.
* to empty objects which breaks hostAllowList property of fastboot.
*
* @param {Object} config
*/
Expand Down
42 changes: 22 additions & 20 deletions packages/ember-cli-fastboot/lib/broccoli/fastboot-config.js
Original file line number Diff line number Diff line change
@@ -1,14 +1,13 @@
/* eslint-env node */
'use strict';

const fs = require('fs');
const fmt = require('util').format;
const uniq = require('ember-cli-lodash-subset').uniq;
const merge = require('ember-cli-lodash-subset').merge;
const md5Hex = require('md5-hex');
const path = require('path');
const Plugin = require('broccoli-plugin');

const fs = require('fs');
const fmt = require('util').format;
const uniq = require('ember-cli-lodash-subset').uniq;
const merge = require('ember-cli-lodash-subset').merge;
const md5Hex = require('md5-hex');
const path = require('path');
const Plugin = require('broccoli-plugin');
const stringify = require('json-stable-stringify');

const LATEST_SCHEMA_VERSION = 3;
Expand Down Expand Up @@ -50,7 +49,7 @@ module.exports = class FastBootConfig extends Plugin {
this.buildConfig();
this.buildDependencies();
this.buildManifest();
this.buildHostWhitelist();
this.buildHostAllowList();

let outputPath = path.join(this.outputPath, 'package.json');
this.writeFileIfContentChanged(outputPath, this.toJSONString());
Expand Down Expand Up @@ -85,7 +84,7 @@ module.exports = class FastBootConfig extends Plugin {

buildDependencies() {
let dependencies = {};
let moduleWhitelist = [];
let moduleAllowlist = [];
let ui = this.ui;

eachAddonPackage(this.project, pkg => {
Expand All @@ -101,7 +100,7 @@ module.exports = class FastBootConfig extends Plugin {
return;
}

moduleWhitelist.push(dep);
moduleAllowlist.push(dep);

if (version) {
dependencies[dep] = version;
Expand All @@ -115,7 +114,7 @@ module.exports = class FastBootConfig extends Plugin {

if (projectDeps) {
projectDeps.forEach(dep => {
moduleWhitelist.push(dep);
moduleAllowlist.push(dep);

let version = pkg.dependencies && pkg.dependencies[dep];
if (version) {
Expand All @@ -125,7 +124,7 @@ module.exports = class FastBootConfig extends Plugin {
}

this.dependencies = dependencies;
this.moduleWhitelist = uniq(moduleWhitelist);
this.moduleAllowlist = uniq(moduleAllowlist);
}

updateFastBootManifest(manifest) {
Expand Down Expand Up @@ -160,32 +159,35 @@ module.exports = class FastBootConfig extends Plugin {
this.manifest = this.updateFastBootManifest(manifest);
}

buildHostWhitelist() {
buildHostAllowList() {
if (this.fastbootAppConfig) {
this.hostWhitelist = this.fastbootAppConfig.hostWhitelist;
if ('hostWhitelist' in this.fastbootAppConfig) {
this.ui.writeLine('Please update your fastboot config to use `hostAllowList` of the deprecated `hostWhitelist`');
kiwiupover marked this conversation as resolved.
Show resolved Hide resolved
}
this.hostAllowList = this.fastbootAppConfig.hostAllowList || this.fastbootAppConfig.hostWhitelist
}
}

toJSONString() {
return stringify({
dependencies: this.dependencies,
fastboot: {
moduleWhitelist: this.moduleWhitelist,
moduleAllowlist: this.moduleAllowlist,
schemaVersion: LATEST_SCHEMA_VERSION,
manifest: this.manifest,
hostWhitelist: this.normalizeHostWhitelist(),
hostAllowList: this.normalizeHostAllowList(),
config: this.fastbootConfig,
appName: this.appName,
}
}, null, 2);
}

normalizeHostWhitelist() {
if (!this.hostWhitelist) {
normalizeHostAllowList() {
if (!this.hostAllowList) {
return;
}

return this.hostWhitelist.map(function(entry) {
return this.hostAllowList.map(function(entry) {
// Is a regex
if (entry.source) {
return '/' + entry.source + '/';
Expand Down
1 change: 0 additions & 1 deletion packages/ember-cli-fastboot/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,6 @@
"body-parser": "^1.18.3",
"broccoli-asset-rev": "^3.0.0",
"broccoli-test-helper": "^1.5.0",
"co": "4.6.0",
"chai": "^4.1.2",
"chai-fs": "^2.0.0",
"chai-string": "^1.4.0",
Expand Down
83 changes: 50 additions & 33 deletions packages/ember-cli-fastboot/test/fastboot-config-test.js
Original file line number Diff line number Diff line change
@@ -1,42 +1,59 @@
/* eslint-env node */
'use strict';

const expect = require('chai').use(require('chai-string')).expect;
const RSVP = require('rsvp');
const request = RSVP.denodeify(require('request'));

const AddonTestApp = require('ember-cli-addon-tests').AddonTestApp;

describe('FastBoot config', function() {
this.timeout(400000);
const expect = require('chai').expect;
const helpers = require('broccoli-test-helper');
const MockUI = require('console-ui/mock')
const createBuilder = helpers.createBuilder;
const createTempDir = helpers.createTempDir;
const FastbootConfig = require('../lib/broccoli/fastboot-config');


describe('FastbootConfig', function() {
let input;
let output;
let subject;
let project;

beforeEach(async function() {
input = await createTempDir();
project = {
addons: [],
pkg: {},
};
subject = new FastbootConfig(input.path(), {
project,
outputPaths: {
app: { js: 'app.js' },
vendor: { js: 'vendor.js' },
},
appConfig: {
modulePrefix: 'app',
},
ui: new MockUI(),
fastbootAppConfig: {
hostWhitelist: ['example.com', 'subdomain.example.com']
}
});
output = createBuilder(subject);
});

let app;
afterEach(async function() {
await input.dispose();
await output.dispose();
});

before(function() {
app = new AddonTestApp();
it('it replace hostWhitelist with hostAllowList and warns user to update the config to hostAllowList', async function() {
input.write({});

return app.create('fastboot-config', { emberVersion: 'latest'})
.then(function() {
return app.startServer({
command: 'serve'
});
});
});
await output.build();

after(function() {
return app.stopServer();
});
expect(
output.read()
).to.deep.equal({
'package.json': `{"dependencies":{},"fastboot":{"appName":"app","config":{"app":{"modulePrefix":"app"}},"hostAllowList":["example.com","subdomain.example.com"],"manifest":{"appFiles":["app.js","app-fastboot.js"],"htmlFile":"index.html","vendorFiles":["vendor.js"]},"moduleAllowlist":[],"schemaVersion":3}}`
});

it('provides sandbox globals', function() {
return request({
url: 'http://localhost:49741/',
headers: {
'Accept': 'text/html'
}
})
.then(function(response) {
expect(response.statusCode).to.equal(200);
expect(response.headers['content-type']).to.equalIgnoreCase('text/html; charset=utf-8');
expect(response.body).to.contain('<h1>My Global</h1>');
});
expect(output.builder.outputNode.ui.output).to.contain('Please update your fastboot config to use `hostAllowList` of the deprecated `hostWhitelist`');
});
});
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ module.exports = function(environment) {
},

fastboot: {
hostWhitelist: ['example.com', 'subdomain.example.com', /localhost:\d+/]
hostAllowlist: ['example.com', 'subdomain.example.com', /localhost:\d+/]
}
};

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ module.exports = function(environment) {
modulePrefix: 'fastboot-location-config',
fastboot: {
fastbootHeaders: false,
hostWhitelist: [/localhost:\d+/],
hostAllowlist: [/localhost:\d+/],
redirectCode: 302,
}
};
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ module.exports = function(environment) {
modulePrefix: 'fastboot-location',
fastboot: {
fastbootHeaders: true,
hostWhitelist: [/localhost:\d+/]
hostAllowlist: [/localhost:\d+/]
}
};

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ module.exports = function(environment) {
},

fastboot: {
hostWhitelist: ['example.com', 'subdomain.example.com', /localhost:\d+/]
hostAllowlist: ['example.com', 'subdomain.example.com', /localhost:\d+/]
}
};

Expand Down
19 changes: 12 additions & 7 deletions packages/ember-cli-fastboot/test/new-package-json-test.js
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,6 @@ const expect = require('chai').expect;
const helpers = require('broccoli-test-helper');
const createBuilder = helpers.createBuilder;
const createTempDir = helpers.createTempDir;
const co = require('co');
const FastbootConfig = require('../lib/broccoli/fastboot-config');

describe('FastbootConfig', function() {
Expand Down Expand Up @@ -50,8 +49,10 @@ describe('FastbootConfig', function() {

await output.build();

expect(output.read()).to.deep.equal({
'package.json': `{"dependencies":{},"fastboot":{"appName":"app","config":{"app":{"modulePrefix":"app"}},"manifest":{"appFiles":["app.js","app-fastboot.js"],"htmlFile":"index.html","vendorFiles":["vendor.js"]},"moduleWhitelist":[],"schemaVersion":3}}`,
expect(
output.read()
).to.deep.equal({
'package.json': `{"dependencies":{},"fastboot":{"appName":"app","config":{"app":{"modulePrefix":"app"}},"manifest":{"appFiles":["app.js","app-fastboot.js"],"htmlFile":"index.html","vendorFiles":["vendor.js"]},"moduleAllowlist":[],"schemaVersion":3}}`
});

await output.build();
Expand All @@ -72,8 +73,10 @@ describe('FastbootConfig', function() {
'package.json': 'change',
});

expect(output.read()).to.deep.equal({
'package.json': `{"dependencies":{"apple":"*","orange":"^1.0.0"},"fastboot":{"appName":"app","config":{"app":{"modulePrefix":"app"}},"manifest":{"appFiles":["app.js","app-fastboot.js"],"htmlFile":"index.html","vendorFiles":["vendor.js"]},"moduleWhitelist":["apple","orange"],"schemaVersion":3}}`,
expect(
output.read()
).to.deep.equal({
'package.json': `{"dependencies":{"apple":"*","orange":"^1.0.0"},"fastboot":{"appName":"app","config":{"app":{"modulePrefix":"app"}},"manifest":{"appFiles":["app.js","app-fastboot.js"],"htmlFile":"index.html","vendorFiles":["vendor.js"]},"moduleAllowlist":["apple","orange"],"schemaVersion":3}}`
});

project.pkg.fastbootDependencies = ['apple', 'orange'];
Expand All @@ -88,8 +91,10 @@ describe('FastbootConfig', function() {

await output.build();

expect(output.read()).to.deep.equal({
'package.json': `{"dependencies":{"apple":"^3.0.0","orange":"^1.0.0"},"fastboot":{"appName":"app","config":{"app":{"modulePrefix":"app"}},"manifest":{"appFiles":["app.js","app-fastboot.js"],"htmlFile":"index.html","vendorFiles":["vendor.js"]},"moduleWhitelist":["apple","orange"],"schemaVersion":3}}`,
expect(
output.read()
).to.deep.equal({
'package.json': `{"dependencies":{"apple":"^3.0.0","orange":"^1.0.0"},"fastboot":{"appName":"app","config":{"app":{"modulePrefix":"app"}},"manifest":{"appFiles":["app.js","app-fastboot.js"],"htmlFile":"index.html","vendorFiles":["vendor.js"]},"moduleAllowlist":["apple","orange"],"schemaVersion":3}}`
});
});
});
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"dependencies": {},
"fastboot": {
"moduleWhitelist": [],
"moduleAllowlist": [],
"manifest": {
"appFile": "assets/fastboot-test.js",
"htmlFile": "index.html",
Expand Down
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"dependencies": {},
"fastboot": {
"moduleWhitelist": [],
"moduleAllowlist": [],
"manifest": {
"appFile": "assets/fastboot-test.js",
"htmlFile": "index.html",
Expand Down
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"dependencies": {},
"fastboot": {
"moduleWhitelist": [],
"moduleAllowlist": [],
"manifest": {
"appFile": "assets/fastboot-test.js",
"htmlFile": "index.html",
Expand Down
Loading