Search code examples
securityhttp-headersvfswso2-esb

WSO2: trp.vfs variables end up in request headers (no matter what)

I encountered some strange behavior while analyzing the http headers in the following treatment

| sftp folder | ==vfs=> | ESB processing | ===http===> REST endpoint

IN

Files are read from the folder with the following inbound endpoint: 

<inboundEndpoint name="aaa2bbb-aaaFolder" onError="aaa2bbb-errors" protocol="file" sequence="aaa2bbb-processFiles" statistics="enable" suspend="false" trace="enable" xmlns="http://ws.apache.org/ns/synapse">
    <parameters>
        <parameter name="interval">5000</parameter>
        <parameter name="sequential">true</parameter>
        <parameter name="coordination">true</parameter>
        <parameter name="transport.vfs.ContentType">text/plain</parameter>
        <parameter name="transport.vfs.LockReleaseSameNode">false</parameter>
        <parameter name="transport.vfs.AutoLockRelease">false</parameter>
        <parameter name="transport.vfs.ActionAfterFailure">MOVE</parameter>
        <parameter name="transport.vfs.FailedRecordsFileName">vfs-move-failed-records.properties</parameter>
        <parameter name="transport.vfs.FailedRecordsFileDestination">repository/conf/</parameter>
        <parameter name="transport.vfs.MoveFailedRecordTimestampFormat">dd-MM-yyyy HH:mm:ss</parameter>
        <parameter name="transport.vfs.FailedRecordNextRetryDuration">3000</parameter>
        <parameter name="transport.vfs.ActionAfterProcess">MOVE</parameter>
        <parameter key="gov:/filesystem/fromAAA.txt" name="transport.vfs.FileURI"/>
        <parameter name="transport.vfs.ReplyFileURI">${registry:gov:/filesystem/fromAAA.txt}/success</parameter>
        <parameter name="transport.vfs.ReplyFileName">response.xml</parameter>
        <parameter name="transport.vfs.DistributedLock">false</parameter>
        <parameter name="transport.vfs.FileNamePattern">^CMDE.*\.zip|^(?!tmp).*\.xml</parameter>
        <parameter name="transport.vfs.Locking">disable</parameter>
        <parameter name="transport.vfs.FileSortAttribute">none</parameter>
        <parameter name="transport.vfs.FileSortAscending">true</parameter>
        <parameter name="transport.vfs.CreateFolder">true</parameter>
        <parameter name="transport.vfs.Streaming">false</parameter>
        <parameter name="transport.vfs.Build">false</parameter>
    </parameters>
</inboundEndpoint>

OUT

The problem is:

vfs variables such as File-Uri, File-Path or Last-Modified systematically end up in the Headers of the requests sent to the REST endpoint

Not only this isn't quite elegant but it raises a real security issue, for sftp File-Uri include username and passwords: 

sftp://${user}:${password}@some_domain.com/somePath

Attempts

I tried several variable names to remove this specific header in my sequences:

  • fileURI
  • file-uri
  • File-Uri
  • FILE-URI
  • transport.vfs.fileURI
<header name="${some-name}" scope="transport" action="remove"/>

but those variables always end up in the headers. How should I fix it? Is it a matter of tuning the inbound-endpoint properly to encapsulate its transport variables from the ones of the call?

[environment]

  • wso2ei 6.5.0
  • fileconnector-2.0.20
Solution

  • Not sure if it helps, but I used the following to remove all transport headers.

    <property name="TRANSPORT_HEADERS" action="remove" scope="axis2"/>

    Or use the following to remove headers.

    <property name="<name of the header to be removed>" scope="transport" action="remove"/>

    Maybe its worth a try.