restrict env variables start with HASURA_GRAPHQL_ for headers configuration in actions, event triggers & remote schemas (hasura#5519)

rakeshkky · 0x777 · rakeshkky · commit e194503a658e · 2020-08-06T12:04:46.000+05:30
* restrict env variables start with HASURA_GRAPHQL_ for headers definition in actions &amp; event triggers

* update CHANGELOG.md

* Apply suggestions from code review

Co-authored-by: Vamshi Surabhi &lt;0x777@users.noreply.github.com&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,10 +2,19 @@
 
 ## Next release
 
+### Breaking change
+
+Headers from environment variables starting with `HASURA_GRAPHQL_` are not allowed  
+in event triggers, actions & remote schemas.
+
+If you do have such headers configured, then you must update the header configuration before upgrading.
+
 ### Bug fixes and improvements
 
 (Add entries here in the order of: server, console, cli, docs, others)
 
+- server: disallow headers from env variables starting with `HASURA_GRAPHQL_` in actions, event triggers & remote schemas (#5519)
+**WARNING**: This might break certain deployments. See `Breaking change` section above.
 - server: bugfix to allow HASURA_GRAPHQL_QUERY_PLAN_CACHE_SIZE of 0 (#5363)
 - server: support only a bounded plan cache, with a default size of 4000 (closes #5363)
 - server: add logs for action handlers
@@ -39,7 +48,7 @@
 - server: have haskell runtime release blocks of memory back to the OS eagerly (related to #3388)
 - server: unlock locked scheduled events on graceful shutdown (#4928)
 - server: disable prepared statements for mutations as we end up with single-use objects which result in excessive memory consumption for mutation heavy workloads (#5255)
-- server: include scheduled event metadata (`created_at`,`scheduled_time`,`id`, etc) along with the configured payload in the request body to the webhook. 
+- server: include scheduled event metadata (`created_at`,`scheduled_time`,`id`, etc) along with the configured payload in the request body to the webhook.
 **WARNING:** This is breaking for beta versions as the payload is now inside a key called `payload`.
 - console: allow configuring statement timeout on console RawSQL page (close #4998) (#5045)
 - console: support tracking partitioned tables (close #5071) (#5258)
diff --git a/server/src-lib/Hasura/RQL/DDL/Headers.hs b/server/src-lib/Hasura/RQL/DDL/Headers.hs
@@ -8,8 +8,8 @@ import           Hasura.RQL.Types.Error
 import           Language.Haskell.TH.Syntax (Lift)
 
 import qualified Data.CaseInsensitive       as CI
-import qualified Data.Text                  as T
 import qualified Data.Environment           as Env
+import qualified Data.Text                  as T
 import qualified Network.HTTP.Types         as HTTP
 
 
@@ -35,7 +35,10 @@ instance FromJSON HeaderConf where
     case (value, valueFromEnv ) of
       (Nothing, Nothing)  -> fail "expecting value or value_from_env keys"
       (Just val, Nothing) -> return $ HeaderConf name (HVValue val)
-      (Nothing, Just val) -> return $ HeaderConf name (HVEnv val)
+      (Nothing, Just val) -> do
+        when (T.isPrefixOf "HASURA_GRAPHQL_" val) $
+          fail $ "env variables starting with \"HASURA_GRAPHQL_\" are not allowed in value_from_env: " <> T.unpack val
+        return $ HeaderConf name (HVEnv val)
       (Just _, Just _)    -> fail "expecting only one of value or value_from_env keys"
   parseJSON _ = fail "expecting object for headers"
 
diff --git a/server/tests-py/queries/actions/metadata/create_with_headers.yaml b/server/tests-py/queries/actions/metadata/create_with_headers.yaml
@@ -0,0 +1,21 @@
+description: Define an action with headers configuration
+url: /v1/query
+status: 400
+query:
+  type: create_action
+  args:
+    name: create_user_1
+    definition:
+      kind: synchronous
+      arguments:
+      - name: name
+        type: String!
+      output_type: User!
+      handler: http://127.0.0.1:5593/create-user
+      headers:
+      - name: x-client-id
+        value_from_env: HASURA_GRAPHQL_CLIENT_NAME
+response:
+  path: $.definition.headers[0]
+  error: 'env variables starting with "HASURA_GRAPHQL_" are not allowed in value_from_env: HASURA_GRAPHQL_CLIENT_NAME'
+  code: parse-failed
diff --git a/server/tests-py/test_actions.py b/server/tests-py/test_actions.py
@@ -455,6 +455,9 @@ def dir(cls):
     def test_recreate_permission(self, hge_ctx):
         check_query_f(hge_ctx, self.dir() + '/recreate_permission.yaml')
 
+    def test_create_with_headers(self, hge_ctx):
+        check_query_f(hge_ctx, self.dir() + '/create_with_headers.yaml')
+
 # Test case for bug reported at https://github.com/hasura/graphql-engine/issues/5166
 @pytest.mark.usefixtures('per_class_tests_db_state')
 class TestActionIntrospection:
