From 687d253b89bf2cade9228005204f5aa26ac9ef2b Mon Sep 17 00:00:00 2001 From: Michael Matloka Date: Mon, 18 Sep 2023 16:09:55 +0200 Subject: [PATCH 1/2] chore(plugin-server): Allow full rollout of hostname guard --- plugin-server/src/types.ts | 3 ++- plugin-server/src/utils/db/hub.ts | 7 ++++--- plugin-server/src/worker/ingestion/hooks.ts | 15 ++++++++++----- plugin-server/src/worker/vm/imports.ts | 5 ++++- 4 files changed, 20 insertions(+), 10 deletions(-) diff --git a/plugin-server/src/types.ts b/plugin-server/src/types.ts index 7434efb363515..3c16957e997f8 100644 --- a/plugin-server/src/types.ts +++ b/plugin-server/src/types.ts @@ -268,7 +268,8 @@ export interface Hub extends PluginsServerConfig { lastActivityType: string statelessVms: StatelessVmMap conversionBufferEnabledTeams: Set - fetchHostnameGuardTeams: Set + /** null means that the hostname guard is enabled for everyone */ + fetchHostnameGuardTeams: Set | null // functions enqueuePluginJob: (job: EnqueuedPluginJob) => Promise // ValueMatchers used for various opt-in/out features diff --git a/plugin-server/src/utils/db/hub.ts b/plugin-server/src/utils/db/hub.ts index a3ee16667d2f3..aeb5c26c95cfa 100644 --- a/plugin-server/src/utils/db/hub.ts +++ b/plugin-server/src/utils/db/hub.ts @@ -70,9 +70,10 @@ export async function createHub( const conversionBufferEnabledTeams = new Set( serverConfig.CONVERSION_BUFFER_ENABLED_TEAMS.split(',').filter(String).map(Number) ) - const fetchHostnameGuardTeams = new Set( - serverConfig.FETCH_HOSTNAME_GUARD_TEAMS.split(',').filter(String).map(Number) - ) + const fetchHostnameGuardTeams = + serverConfig.FETCH_HOSTNAME_GUARD_TEAMS === '*' + ? null + : new Set(serverConfig.FETCH_HOSTNAME_GUARD_TEAMS.split(',').filter(String).map(Number)) const statsd: StatsD | undefined = createStatsdClient(serverConfig, threadId) diff --git a/plugin-server/src/worker/ingestion/hooks.ts b/plugin-server/src/worker/ingestion/hooks.ts index 2cc8279c88d52..daecf05da17b9 100644 --- a/plugin-server/src/worker/ingestion/hooks.ts +++ b/plugin-server/src/worker/ingestion/hooks.ts @@ -257,7 +257,7 @@ export class HookCommander { organizationManager: OrganizationManager statsd: StatsD | undefined siteUrl: string - fetchHostnameGuardTeams: Set + fetchHostnameGuardTeams: Set | null /** Hook request timeout in ms. */ EXTERNAL_REQUEST_TIMEOUT = 10 * 1000 @@ -266,13 +266,13 @@ export class HookCommander { postgres: PostgresRouter, teamManager: TeamManager, organizationManager: OrganizationManager, - fetchHostnameGuardTeams?: Set, + fetchHostnameGuardTeams: Set | null = new Set(), statsd?: StatsD ) { this.postgres = postgres this.teamManager = teamManager this.organizationManager = organizationManager - this.fetchHostnameGuardTeams = fetchHostnameGuardTeams || new Set() + this.fetchHostnameGuardTeams = fetchHostnameGuardTeams if (process.env.SITE_URL) { this.siteUrl = process.env.SITE_URL } else { @@ -362,7 +362,10 @@ export class HookCommander { `⌛⌛⌛ Posting Webhook slow. Timeout warning after 5 sec! url=${webhookUrl} team_id=${team.id} event_id=${event.eventUuid}` ) }, 5000) - const relevantFetch = isCloud() && this.fetchHostnameGuardTeams.has(team.id) ? safeTrackedFetch : trackedFetch + const relevantFetch = + isCloud() && (!this.fetchHostnameGuardTeams || this.fetchHostnameGuardTeams.has(team.id)) + ? safeTrackedFetch + : trackedFetch try { await instrumentWebhookStep('fetch', async () => { const request = await relevantFetch(webhookUrl, { @@ -405,7 +408,9 @@ export class HookCommander { ) }, 5000) const relevantFetch = - isCloud() && this.fetchHostnameGuardTeams.has(hook.team_id) ? safeTrackedFetch : trackedFetch + isCloud() && (!this.fetchHostnameGuardTeams || this.fetchHostnameGuardTeams.has(hook.team_id)) + ? safeTrackedFetch + : trackedFetch try { const request = await relevantFetch(hook.target, { method: 'POST', diff --git a/plugin-server/src/worker/vm/imports.ts b/plugin-server/src/worker/vm/imports.ts index d7b02d87c1c41..0b7e5e0df6a72 100644 --- a/plugin-server/src/worker/vm/imports.ts +++ b/plugin-server/src/worker/vm/imports.ts @@ -35,7 +35,10 @@ export function determineImports(hub: Hub, teamId: number) { 'aws-sdk': AWS, ethers: ethers, 'generic-pool': genericPool, - 'node-fetch': isCloud() && hub.fetchHostnameGuardTeams.has(teamId) ? safeTrackedFetch : trackedFetch, + 'node-fetch': + isCloud() && (!hub.fetchHostnameGuardTeams || hub.fetchHostnameGuardTeams.has(teamId)) + ? safeTrackedFetch + : trackedFetch, 'snowflake-sdk': snowflake, crypto: crypto, jsonwebtoken: jsonwebtoken, From a51f430c76ab804e9a684e166da7d854403cb7f1 Mon Sep 17 00:00:00 2001 From: Michael Matloka Date: Tue, 19 Sep 2023 18:25:06 +0200 Subject: [PATCH 2/2] Add comment --- plugin-server/src/worker/ingestion/hooks.ts | 1 + 1 file changed, 1 insertion(+) diff --git a/plugin-server/src/worker/ingestion/hooks.ts b/plugin-server/src/worker/ingestion/hooks.ts index daecf05da17b9..c2bab8f9e3a42 100644 --- a/plugin-server/src/worker/ingestion/hooks.ts +++ b/plugin-server/src/worker/ingestion/hooks.ts @@ -257,6 +257,7 @@ export class HookCommander { organizationManager: OrganizationManager statsd: StatsD | undefined siteUrl: string + /** null means that the hostname guard is enabled for everyone */ fetchHostnameGuardTeams: Set | null /** Hook request timeout in ms. */