2.1.0 Light Released

2.0.6 (2019-09-13)

Merged pull requests:

• fixed #609 #610 (chenyan71)

Upgrade Guidelines:

The following middleware handlers have been changed in this release and the config file needs to be updated to leverage the new features.

• config.yml

For this release, we have set the default value to true for allowDefaultValueEmpty so that empty value can be used in the template for other config files.

# For some configuration files, we have left some properties without default values as there
# would be negative impact on the application security. The following config will ensure that
# null will be used when the default value is empty without stopping the server during the start.
allowDefaultValueEmpty: true

• limit.yml

The errorCode is newly added to allow the users to customzied the error response if the request is dropped. By default, code 503 is returned.

# If the rate limit is exposed to the Internet to prevent DDoS attacks, it will return 503
# error code to trick the DDoS client/tool to stop the attacks as it considers the server
# is down. However, if the rate limit is used internally to throttle the client requests to
# protect a slow backend API, it will return 429 error code to indicate too many requests
# for the client to wait a grace period to resent the request. By default, 503 is returned.
errorCode: ${limit.errorCode:503}

• sanitizer.yml

This file is changed alot so that we can set up the encoders for both body and header separately.

---
# Sanitize request for cross-site scripting during runtime

# indicate if sanitizer is enabled or not
enabled: ${sanitizer.enabled:false}

# if it is enabled, the body needs to be sanitized
bodyEnabled: ${sanitizer.bodyEnabled:true}
# the encoder for the body. javascript, javascript-attribute, javascript-block or javascript-source
# There are other encoders that you can choose depending on your requirement. Please refer to site
# https://github.com/OWASP/owasp-java-encoder/blob/main/core/src/main/java/org/owasp/encoder/Encoders.java
bodyEncoder: ${sanitizer.bodyEncoder:javascript-source}
# pick up a list of keys to encode the values to limit the scope to only selected keys. You can
# choose this option if you want to only encode certain fields in the body. When this option is
# selected, you can not use the bodyAttributesToIgnore list.
bodyAttributesToEncode: ${sanitizer.bodyAttributesToEncode:}
# pick up a list of keys to ignore the values encoding to skip some of the values so that these
# values won't be encoded. You can choose this option if you want to encode everything except
# several values with a list of the keys. When this option is selected, you can not use the
# bodyAttributesToEncode list.
bodyAttributesToIgnore: ${sanitizer.bodyAttributesToIgnore:}

# if it is enabled, the header needs to be sanitized
headerEnabled: ${sanitizer.headerEnabled:true}
# the encoder for the header. javascript, javascript-attribute, javascript-block or javascript-source
# There are other encoders that you can choose depending on your requirement. Please refer to site
# https://github.com/OWASP/owasp-java-encoder/blob/main/core/src/main/java/org/owasp/encoder/Encoders.java
headerEncoder: ${sanitizer.headerEncoder:javascript-attribute}
# pick up a list of keys to encode the values to limit the scope to only selected keys. You can
# choose this option if you want to only encode certain fields in the body. When this option is
# selected, you can not use the headerAttributesToIgnore list.
headerAttributesToEncode: ${sanitizer.headerAttributesToEncode:}
# pick up a list of keys to ignore the values encoding to skip some of the values so that these
# values won't be encoded. You can choose this option if you want to encode everything except
# several values with a list of the keys. When this option is selected, you can not use the
# headerAttributesToEncode list.
headerAttributesToIgnore: ${sanitizer.headerAttributesToIgnore:}

router.yml

The router config in egress-router has been changed to add the query paramerter for service_id and URL rewrite rules.

# support serviceId in the query parameter for routing to overwrite serviceId in header routing.
# by default, it is false and shouldn't be used unless you are dealing with a legacy client that
# doesn't support header manipulation. Once this flag is true, we are going to overwrite the header
# service_id derived with other handlers from prefix, path, endpoint etc.
serviceIdQueryParameter: ${router.serviceIdQueryParameter:false}

# URL rewrite rules, each line will have two parts: the regex patten and replace string separated
# with a space. The light-router has service discovery for host routing, so whe working on the
# url rewrite rules, we only need to create about the path in the URL.
# Test your rules at https://www.freeformatter.com/java-regex-tester.html#ad-output
urlRewriteRules: ${router.urlRewriteRules:}