decentraland / asset-bundle-registry / 27715588950

push

github

fix: validate deployment content-server url against a catalyst allowlist (#122)

fix: validate deployment content-server url against a content-server allowlist

the deployment event's contentServerUrls is attacker-influenced and the
registry fetches the entity from it (catalyst / worlds), so:

- the message processor drops any deployment carrying an off-allowlist
  content-server host before dispatching to ANY handler, so a poisoned
  message can't leave an orphaned queue-status entry via the status
  handler. the deployment handler keeps the same guard as defense in depth.
- content fetches (catalyst content client + worlds) no longer follow
  redirects, so an allowlisted host can't 30x to an internal resource.

the allowlist is sourced from the required ALLOWED_CONTENT_SERVER_HOSTS env
var (set per-env in the definitions repo, with known defaults in
.env.default). entityId is not gated here: in the registry it only reaches
parameterized sql / cache keys, not a filesystem path or s3 key.

related to decentraland/asset-bundle-converter#306

629 of 920 branches covered (68.37%)

Branch coverage included in aggregate %.

35 of 40 new or added lines in 5 files covered. (87.5%)

1632 of 2249 relevant lines covered (72.57%)

40.05 hits per line