You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
According to the rosapi README.md, the services_glob should allow whitelisting of desired services and block others not provided in the services_glob arg.
Note: By default the rosapi calls for details about topics, services, and parameters will return nothing. You must specify a list of allowed resources. Each of the glob parameters may contain an array of one or more match patterns. Resources that match any of the specified patterns will be returned by calls to the rosapi services.
This feature is of interest to us so we can disallow users from accessing certain services for security reasons, e.g. preventing a remote user from modifying arbitrary ROS params that could disrupt our system or other users.
Library Version: 0.11.17
ROS Version: Noetic
Platform / OS: Ubuntu 20.04.6 LTS (Focal)
Steps To Reproduce
In rosbridge_websocket_launch.xml, it can be given an argument services_glob that can be set to allow specific services. <arg name="services_glob" value="[/rosapi/node_details, /rosapi/get_param]" />
Set this argument to the name of a service to be allowed.
Expected Behavior
The services in services_glob should be allowed, and all other services should be disallowed.
Actual Behavior
This feature is not working as seemingly intended, as it whitelists all /rosapi services.
I have confirmed that the services_glob argument is set correctly.
# To be able to access the list of topics and services, you must be able to access the rosapi services.
if RosbridgeWebSocket.services_glob:
RosbridgeWebSocket.services_glob.append("/rosapi/*")
This seems to defeat the purpose of the services_glob.
What's the point of having a mechanism to disable undesired services if they will all be enabled by default anyways?
The comment states that it is necessary to access the list of topics and services.
However, RosBridge seems to work just fine for us even if these lines allowing all services are commented out.
Although the comment states accessing these is necessary, I can't find where in the code they are needed.
If it is necessary for the services providing the list of topics and services to be available, it may be better to always whitelist only those needed services instead of all of them.
For example, if we only need the list of topics and services, we could do something like this:
# To be able to access the list of topics and services, you must be able to access the rosapi services.
if RosbridgeWebSocket.services_glob:
RosbridgeWebSocket.services_glob.append("/rosapi/topics")
RosbridgeWebSocket.services_glob.append("/rosapi/services")
Can someone please explain why some services must always be whitelisted, if at all?
If possible, I would like to make a commit to remove or limit this default whitelisting behaviour so we can have the functionality of the services_glob.
However, I would like to be sure I am not misunderstanding the purpose of services_glob or breaking other features.
I can see this code was implemented in this commit in 2019 by @jubeira.
Thank you.
The text was updated successfully, but these errors were encountered:
According to the rosapi README.md, the services_glob should allow whitelisting of desired services and block others not provided in the services_glob arg.
This feature is of interest to us so we can disallow users from accessing certain services for security reasons, e.g. preventing a remote user from modifying arbitrary ROS params that could disrupt our system or other users.
Steps To Reproduce
In rosbridge_websocket_launch.xml, it can be given an argument services_glob that can be set to allow specific services.
<arg name="services_glob" value="[/rosapi/node_details, /rosapi/get_param]" />Set this argument to the name of a service to be allowed.
Expected Behavior
The services in services_glob should be allowed, and all other services should be disallowed.
Actual Behavior
This feature is not working as seemingly intended, as it whitelists all /rosapi services.
I have confirmed that the services_glob argument is set correctly.
However, Line 321 in rosbridge_websocket.py seems to explicitly allow the accessing of all rosapi services.
This seems to defeat the purpose of the services_glob.
What's the point of having a mechanism to disable undesired services if they will all be enabled by default anyways?
The comment states that it is necessary to access the list of topics and services.
However, RosBridge seems to work just fine for us even if these lines allowing all services are commented out.
Although the comment states accessing these is necessary, I can't find where in the code they are needed.
If it is necessary for the services providing the list of topics and services to be available, it may be better to always whitelist only those needed services instead of all of them.
For example, if we only need the list of topics and services, we could do something like this:
Can someone please explain why some services must always be whitelisted, if at all?
If possible, I would like to make a commit to remove or limit this default whitelisting behaviour so we can have the functionality of the services_glob.
However, I would like to be sure I am not misunderstanding the purpose of services_glob or breaking other features.
I can see this code was implemented in this commit in 2019 by @jubeira.
Thank you.
The text was updated successfully, but these errors were encountered: