From 1264b067ad9c95cd34aa9e93ab080396bf899b13 Mon Sep 17 00:00:00 2001 From: io42630 Date: Sun, 21 Jan 2024 01:11:24 +0100 Subject: [PATCH] refactor --- README.md | 40 +- docker-compose.yaml | 12 +- flow.uxf | 394 ++++++++++++++++++ forward/src/test/resources/get-smoke.http | 3 +- forward/src/test/resources/pot-smoke.http | 7 + .../java/com/olexyn/misp/reverse/Tools.java | 1 + 6 files changed, 429 insertions(+), 28 deletions(-) create mode 100644 flow.uxf create mode 100644 forward/src/test/resources/pot-smoke.http diff --git a/README.md b/README.md index ed9b959..0eaf2b9 100644 --- a/README.md +++ b/README.md @@ -29,13 +29,6 @@ which in turn will finally forward it to the `user`. #### What does not work: * Handling 301 (Moved Permanently). * Forwarding PUT requests - if needed, the logic might be quickly added to `doPut` in `forward`. -* The `forward.war` has issues - meanwhile run `forward` embedded with Jetty. - -
- -### Demo -[![IMAGE ALT TEXT](http://img.youtube.com/vi/WcSvzeu6nKo/0.jpg)](https://youtu.be/WcSvzeu6nKo "misp Demo") -
@@ -53,17 +46,22 @@ which in turn will finally forward it to the `user`. * Launch the `reverse-0.1.jar` on your host. -### Migration (WIP) - -#### How would we even test this? -* one instance of `foward` -* one instance of `reverse` -* one instance of `mirror` -* `reverse` uses `mirror` as app -* we call `forward` and see `mirror` - -#### Steps TODO -* migrate `forward` to Spring ✅ -* parametrize URLs -* check if `mirror` works -* +### Security Considerations +* user might access other resources (i.e. another app) + * user might manipulate the `app` URL + * the URL of the app is provided as ENV + * `reverse` calls said URL. + * the URL is never transmitted over the network + * the `Ride` object which `forward` receives contains only the _original_ request and the response payload from `app` + * user might use redirect magic + * user can not manipulate URL directly + * but if the server is not properly configured, the user might exploit that + * thus only expose local servers that you consider hardened. + * TODO possibly do some Header editing, before calling `app` URL in `Tools.send()` + + +### Considerations How to add multiple host mapping +* keep `forward` agnostic + * supply parameter to `/` indicating desired target service +* in `reverse` + * maintain a map of desired service -> URL \ No newline at end of file diff --git a/docker-compose.yaml b/docker-compose.yaml index c24cb0e..afa152f 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -2,12 +2,12 @@ version: '3' services: - forward: - container_name: forward - image: io42630/forward:0.1 - ports: - - "42001:8080" - - "42002:5005" +# forward: +# container_name: forward +# image: io42630/forward:0.1 +# ports: +# - "42001:8080" +# - "42002:5005" # See .env for vars. diff --git a/flow.uxf b/flow.uxf new file mode 100644 index 0000000..c117a9c --- /dev/null +++ b/flow.uxf @@ -0,0 +1,394 @@ + + + 10 + + UMLClass + + 1420 + 610 + 100 + 30 + + forward +bg=#B39DDB +layer=-1 + + + + Relation + + 1170 + 680 + 280 + 50 + + lt=<<<- +POST (Ride) +Generated by Loop + 260.0;20.0;10.0;20.0 + + + Relation + + 1170 + 830 + 280 + 50 + + lt=<<<- +POST (Ride)(Request) +(Data) + 260.0;20.0;10.0;20.0 + + + Relation + + 1170 + 880 + 280 + 40 + + lt=<<<. +OK (Ride) + 10.0;20.0;260.0;20.0 + + + UMLClass + + 760 + 610 + 80 + 30 + + app +bg=#90CAF9 + + + + Relation + + 800 + 760 + 400 + 40 + + lt=<<<- +GET (Request) +fg=#1E88E5 + 10.0;20.0;380.0;20.0 + + + Relation + + 800 + 810 + 400 + 40 + + lt=<<<. +OK (Data) +fg=#1E88E5 + 380.0;20.0;10.0;20.0 + + + Relation + + 1170 + 740 + 280 + 40 + + lt=<<<. +OK (Ride)(Request) + 10.0;20.0;260.0;20.0 + + + UMLClass + + 630 + 320 + 1330 + 640 + + +lt=.. +layer=-10 + + + + UMLClass + + 1430 + 700 + 80 + 40 + + Available +Rides +bg=#FFF59D +transparency=0 + + + + UMLClass + + 1430 + 740 + 80 + 110 + + Booked +Rides +bg=#E6EE9C +transparency=0 +layer=1 + + + + UMLClass + + 1430 + 850 + 80 + 60 + + Loaded +Rides +bg=#A5D6A7 +transparency=0 + + + + Relation + + 790 + 630 + 30 + 320 + + lt=- +fg=#1E88E5 + 10.0;10.0;10.0;300.0 + + + UMLClass + + 790 + 780 + 20 + 50 + + +bg=#F6F6F6 +transparency=0 +layer=4 + + + + Relation + + 1460 + 630 + 30 + 320 + + lt=- +fg=#5E35B1 +layer=-4 + 10.0;10.0;10.0;300.0 + + + UMLClass + + 1420 + 340 + 100 + 30 + + forward +bg=#B39DDB +layer=-1 + + + + UMLClass + + 860 + 340 + 410 + 30 + + reverse +bg=#B39DDB +layer=-1 + + + + UMLClass + + 1430 + 450 + 80 + 50 + + Available +Rides +bg=#FFF59D +transparency=0 + + + + Relation + + 1460 + 360 + 30 + 180 + + lt=- +fg=#5E35B1 +layer=-4 + 10.0;10.0;10.0;160.0 + + + Relation + + 1170 + 440 + 280 + 40 + + lt=<<<- +POST (Available) + 260.0;20.0;10.0;20.0 + + + Relation + + 1170 + 470 + 280 + 40 + + lt=<<<. +OK (# Available) + 10.0;20.0;260.0;20.0 + + + UMLClass + + 860 + 390 + 140 + 40 + + Reverse.main() +bg=#FFF59D +transparency=0 + + + + UMLClass + + 1090 + 390 + 150 + 40 + + CheckSuppyR +(Runnable) +bg=#FFF59D +transparency=0 + + + + UMLClass + + 1090 + 550 + 150 + 40 + + JourneyGeneratorR +(Runnable) +bg=#FFF59D +transparency=0 + + + + UMLClass + + 1090 + 640 + 150 + 40 + + JourneyR +(Runnable) +bg=#FFF59D +transparency=0 + + + + Relation + + 990 + 390 + 120 + 40 + + lt=<<<- +1 + 100.0;20.0;10.0;20.0 + + + Relation + + 990 + 410 + 120 + 180 + + lt=<<<- +1 + 100.0;160.0;10.0;10.0 + + + Relation + + 1170 + 580 + 80 + 80 + + lt=<<<- +1-1000 + 10.0;60.0;10.0;10.0 + + + Relation + + 1170 + 670 + 30 + 280 + + lt=- +fg=#5E35B1 +layer=-4 + 10.0;10.0;10.0;260.0 + + + Relation + + 1170 + 420 + 30 + 130 + + lt=- +fg=#5E35B1 +layer=-4 + 10.0;10.0;10.0;110.0 + + diff --git a/forward/src/test/resources/get-smoke.http b/forward/src/test/resources/get-smoke.http index 6530c90..4d5587d 100644 --- a/forward/src/test/resources/get-smoke.http +++ b/forward/src/test/resources/get-smoke.http @@ -1,4 +1,5 @@ -POST http://localhost:42001 +#POST http://localhost:42001 +GET http://node175251-env-1739619.sh1.hidora.com:11231/ Content-Type: application/json { diff --git a/forward/src/test/resources/pot-smoke.http b/forward/src/test/resources/pot-smoke.http new file mode 100644 index 0000000..0f8a49a --- /dev/null +++ b/forward/src/test/resources/pot-smoke.http @@ -0,0 +1,7 @@ +#POST http://localhost:42001 +POST http://node175251-env-1739619.sh1.hidora.com:11231/ +Content-Type: application/json + +{ + "hello": "world" +} diff --git a/reverse/src/main/java/com/olexyn/misp/reverse/Tools.java b/reverse/src/main/java/com/olexyn/misp/reverse/Tools.java index 5042f78..254759f 100644 --- a/reverse/src/main/java/com/olexyn/misp/reverse/Tools.java +++ b/reverse/src/main/java/com/olexyn/misp/reverse/Tools.java @@ -17,6 +17,7 @@ public class Tools { URL url = URI.create(urlString).toURL(); HttpURLConnection connection = (HttpURLConnection) url.openConnection(); connection.setRequestMethod(method); + connection.getHeaderFields(); // TODO boolean getToForward = method.equals("GET") && urlString.contains("forward");