HPCC-30080 Not access restricted resources for Unrestricted call

A user may use several URL parameters (ex. wsdl) to retrieve
Unrestricted resources (the xsd files, wsdl files, and sample
files in Open sources). The code is added to block the access
to other resources.

Signed-off-by: wangkx <[email protected]>

esp/bindings/http/platform/httpbinding.cpp

@@ -1136,6 +1136,40 @@ void EspHttpBinding::handleHttpPost(CHttpRequest *request, CHttpResponse *respon
         addToESPCache(cacheClient, request, response, cacheID.str(), cacheSeconds);
 }
 
+int EspHttpBinding::onGetUnrestricted(CHttpRequest* request, CHttpResponse* response,
+    const char *serviceName, const char *methodName, sub_service sstype)
+{
+    IEspContext& context = *request->queryContext();
+    LogLevel level = getEspLogLevel(&context);
+    if (level >= LogNormal)
+        DBGLOG("EspHttpBinding::onGetUnrestricted");
+
+    response->setVersion(HTTP_VERSION);
+    response->addHeader("Expires", "0");
+    response->setStatus(HTTP_STATUS_OK);
+
+    // adjust version if necessary
+    if (m_defaultSvcVersion.get() && !context.queryRequestParameters()->queryProp("ver_"))
+        context.setClientVersion(atof(m_defaultSvcVersion));
+
+    switch (sstype)
+    {
+        case sub_serv_xsd:
+            return onGetXsd(context, request, response, serviceName, methodName);
+        case sub_serv_wsdl:
+            return onGetWsdl(context, request, response, serviceName, methodName);
+        case sub_serv_reqsamplexml:
+            return onGetReqSampleXml(context, request, response, serviceName, methodName);
+        case sub_serv_respsamplexml:
+            return onGetRespSampleXml(context, request, response, serviceName, methodName);
+        case sub_serv_respsamplejson:
+            return onGetRespSampleJson(context, request, response, serviceName, methodName);
+        case sub_serv_reqsamplejson:
+            return onGetReqSampleJson(context, request, response, serviceName, methodName);
+    }
+    return 0;
+}
+
 int EspHttpBinding::onGet(CHttpRequest* request, CHttpResponse* response)
 {
     IEspContext& context = *request->queryContext();
@@ -1169,13 +1203,7 @@ int EspHttpBinding::onGet(CHttpRequest* request, CHttpResponse* response)
         case sub_serv_main:
         case sub_serv_index:
         case sub_serv_xform:
-        case sub_serv_xsd:
-        case sub_serv_wsdl:
         case sub_serv_soap_builder:
-        case sub_serv_reqsamplexml:
-        case sub_serv_respsamplexml:
-        case sub_serv_respsamplejson:
-        case sub_serv_reqsamplejson:
             context.setClientVersion(atof(m_defaultSvcVersion));
 
         default:
@@ -1211,24 +1239,12 @@ int EspHttpBinding::onGet(CHttpRequest* request, CHttpResponse* response)
             return onGetXForm(context, request, response, serviceName.str(), methodName.str());
         case sub_serv_result:
             return onGetResult(context, request, response, serviceName.str(), methodName.str(), pathEx.str());
-        case sub_serv_wsdl:
-            return onGetWsdl(context, request, response, serviceName.str(), methodName.str());
-        case sub_serv_xsd:
-            return onGetXsd(context, request, response, serviceName.str(), methodName.str());
         case sub_serv_instant_query:
             return onGetInstantQuery(context, request, response, serviceName.str(), methodName.str());
         case sub_serv_soap_builder:
             return onGetSoapBuilder(context, request, response, serviceName.str(), methodName.str());
         case sub_serv_json_builder:
             return onGetJsonBuilder(context, request, response, serviceName.str(), methodName.str());
-        case sub_serv_reqsamplexml:
-            return onGetReqSampleXml(context, request, response, serviceName.str(), methodName.str());
-        case sub_serv_respsamplexml:
-            return onGetRespSampleXml(context, request, response, serviceName.str(), methodName.str());
-        case sub_serv_respsamplejson:
-            return onGetRespSampleJson(context, request, response, serviceName.str(), methodName.str());
-        case sub_serv_reqsamplejson:
-            return onGetReqSampleJson(context, request, response, serviceName.str(), methodName.str());
         case sub_serv_query:
             return onGetQuery(context, request, response, serviceName.str(), methodName.str());
         case sub_serv_file_upload:

esp/bindings/http/platform/httpbinding.hpp

@@ -92,6 +92,7 @@ interface IEspHttpBinding
     virtual int onGetSoapBuilder(IEspContext &context, CHttpRequest* request, CHttpResponse* response,  const char *serv, const char *method)=0;
     virtual int onGetJsonBuilder(IEspContext &context, CHttpRequest* request, CHttpResponse* response,  const char *serv, const char *method)=0;
     virtual int onGetReqSampleXml(IEspContext &context, CHttpRequest* request, CHttpResponse* response, const char *serv, const char *method)=0;
+    virtual int onGetUnrestricted(CHttpRequest* request, CHttpResponse* response, const char *serviceName, const char *methodName, sub_service sstype)=0;
     virtual int onGetRespSampleXml(IEspContext &context, CHttpRequest* request, CHttpResponse* response,    const char *serv, const char *method)=0;
     virtual int onGetRespSampleJson(IEspContext &context, CHttpRequest* request, CHttpResponse* response,    const char *serv, const char *method)=0;
     virtual int onGetReqSampleJson(IEspContext &context, CHttpRequest* request, CHttpResponse* response, const char *serv, const char *method)=0;
@@ -325,6 +326,7 @@ class esp_http_decl EspHttpBinding :
         return onGet(request, response);
     }
 
+    virtual int onGetUnrestricted(CHttpRequest* request, CHttpResponse* response, const char *serviceName, const char *methodName, sub_service sstype);
     virtual int onGetReqSampleXml(IEspContext &context, CHttpRequest* request, CHttpResponse* response, const char *serv, const char *method);
     virtual int onGetRespSampleXml(IEspContext &context, CHttpRequest* request, CHttpResponse* response,    const char *serv, const char *method);
     virtual int onGetRespSampleJson(IEspContext &context, CHttpRequest* request, CHttpResponse* response,    const char *serv, const char *method);

esp/bindings/http/platform/httpservice.cpp

@@ -379,6 +379,13 @@ int CEspHttpServer::processRequest()
 
             if (thebinding!=NULL)
             {
+                if (thebinding->isUnrestrictedSSType(stype))
+                {
+                    thebinding->onGetUnrestricted(m_request.get(), m_response.get(), serviceName.str(), methodName.str(), stype);
+                    ctx->addTraceSummaryTimeStamp(LogMin, "handleHttp");
+                    return 0;
+                }
+
                 if(stricmp(method.str(), POST_METHOD)==0)
                     thebinding->handleHttpPost(m_request.get(), m_response.get());
                 else if(!stricmp(method.str(), GET_METHOD))