hotfix: change protected fields to allow scoped fields

globocom · May 4, 2023 · 675935d · 675935d
1 parent 984d7fd
commit 675935d
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 8 deletions.
diff --git a/lib/http/SchemaResponse.js b/lib/http/SchemaResponse.js
@@ -5,17 +5,18 @@ class SchemaResponse {
     this.functionsRequest = functionsRequest;
     this.res = res;
     this.schemaName = schemaName;
-    this.protectedFields = config.responseProtectedFields;
+    this.allowedFields = config.responseAllowedFields;
   }
 
-  removeProtectedFields(data) {
-    for (const field of this.protectedFields) {
-      delete data[field];
-    };
-  };
+  removeNotAllowedFields(data) {
+    const fieldsToRemove = Object.keys(data.env.filter(field => !this.allowedFields.includes(field)));
+    for (const field of fieldsToRemove) {
+      delete data.env[field];
+    }
+  }
 
   json(data) {
-    this.removeProtectedFields(data);
+    this.removeNotAllowedFields(data);
     const schemeAndAuthority = this.functionsRequest.schemeAndAuthority();
     this.res.set('Content-Type', `application/json; charset=utf-8; profile=${schemeAndAuthority}/_schemas/${this.schemaName}`);
     this.res.end(JSON.stringify(data));

diff --git a/lib/support/config.js b/lib/support/config.js
@@ -22,7 +22,7 @@ module.exports = {
   defaultGlobalModules: ConfigDiscovery.getList('DEFAULT_GLOBAL_MODULES', DEFAULT_GLOBAL_MODULES),
   bodyParserLimit: process.env.BODY_PARSER_LIMIT || '1mb',
   redisConnectionTimeout: ConfigDiscovery.getInt('REDIS_CONNECTION_TIMEOUT', 2000),
-  responseProtectedFields: ConfigDiscovery.getList('RESPONSE_PROTECTED_FIELDS', ['env']),
+  responseAllowedFields: ConfigDiscovery.getList('RESPONSE_ALLOWED_FIELDS', ['BACKSTAGE_CLIENT_ID']),
   metric: {
     client: process.env.METRIC_CLIENT,
     udpHost: process.env.METRIC_UDP_HOST,