MM-573: Harden dynamic network config and authorization header handling#2026
MM-573: Harden dynamic network config and authorization header handling#2026Divyateja2709 wants to merge 5 commits into
Conversation
|
Warning Rate limit exceeded
You’ve run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (3)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
Hi, @Divyateja2709 We appreciate your Pull Request. To facilitate seamless integration and collaboration, please ensure you have joined our Slack workspace and the relevant designated channel. We recommend thoroughly reviewing the bookmark pages, project README, and wiki to gain a comprehensive understanding of the project architecture and development guidelines. Active participation in the daily stand-up meetings is encouraged for discussions, ticket assignments, and to foster connections with the development team. Prior to requesting an assignment in the channel, please create a Jira ticket or ask for an assignment of existing tickets. All pull request descriptions must comprehensively detail the before and after changes, substantiated by relevant video or image evidence. |
hi @therajanmaurya
This PR strengthens network-layer security remediation for MM-573 by hardening how dynamic instance configuration and request headers are handled before outbound API calls.
What changed
Added strict sanitization and fallback handling for dynamic instance values in InstanceConfigManager:
platformTenantId validation and CR/LF stripping
endpoint sanitization
path sanitization
protocol enforcement to secure default (https://) on invalid values
Updated URL construction to use sanitized protocol/host/path for:
main URL
self-service URL
interbank URL
Hardened KtorInterceptor authorization behavior:
sanitize token header value before use
attach Authorization only for HTTPS requests (with local-dev host exceptions)
Added remediation documentation:
docs/security/network-hardening-mm573.md
Security impact
Reduces header injection risk via CR/LF in tenant/token values.
Prevents malformed dynamic instance config from directly shaping unsafe URLs.
Reduces risk of token exposure on insecure transport by restricting auth-header attachment.
Scope
core/network/src/commonMain/kotlin/org/mifospay/core/network/config/InstanceConfigManager.kt
core/network/src/commonMain/kotlin/org/mifospay/core/network/utils/KtorInterceptor.kt
docs/security/network-hardening-mm573.md