There's a big section of code in frontend.h:find_endpoint to populate 404 reponses, also handling the case where we have a matching path but not a matching HTTP method (/verb), to respond to OPTIONS queries or fill a Method not allowed response.
But if we decide not to execute an endpoint because of a missing operator feature, we take a totally separate path later, returning a blank 404 with no body or further details.
This is an annoying inconsistency, but will be worse if we want to treat operator_features as properly hiding endpoints. If distinguishing non-implemented from non-visible endpoints has any security value, this breaks it.
We should make these consistent, by pushing the operator_features check into find_endpoint(). This is non-trivial because of the Method not allowed handling. We probably need to change the interaction between the frontend and the endpoints, returning a set of endpoints that match the path and then filtering by method (or feature) ourselves.
There's a big section of code in
frontend.h:find_endpointto populate 404 reponses, also handling the case where we have a matching path but not a matching HTTP method (/verb), to respond toOPTIONSqueries or fill aMethod not allowedresponse.But if we decide not to execute an endpoint because of a missing operator feature, we take a totally separate path later, returning a blank
404with no body or further details.This is an annoying inconsistency, but will be worse if we want to treat
operator_featuresas properly hiding endpoints. If distinguishing non-implemented from non-visible endpoints has any security value, this breaks it.We should make these consistent, by pushing the
operator_featurescheck intofind_endpoint(). This is non-trivial because of theMethod not allowedhandling. We probably need to change the interaction between the frontend and the endpoints, returning a set of endpoints that match the path and then filtering by method (or feature) ourselves.