Prevent disclosure of routes of different host name

[raziel057]

Hi,

Currently if we expose multiple routes under different host names, all those routes are collected and provided to the browser when calling the fos_js_routing_js route. I know that we can expose the routes under different domains but the domains can be provided as query parameter.

For example given the following routing:

app_admin:
    host:     "admin.myapp.local"
    resource: "@MyAdminBundle/Controller/"
    type:     annotation
    prefix:   /

app_public:
    host:     "public.myapp.local"
    resource: "@MyPublicBundle/Controller/"
    type:     annotation
    prefix:   /

Considering I expose all my routes in AdminBundle with options={"expose"="admin"}, I can get the complete list of routes exposed by AdminBundle (related to admin.myapp.local) from a page of my PublicBundle (browsing public.myapp.local), if I provide the domain "admin". Ex:

http://public.myapp.local/js/routing?callback=fos.Router.setData&domain=admin

To avoid such disclosure (that can be useful in some situation) maybe the best could be to add config options:

fos_js_routing:
    policy: "same-host-only"

In that case only routes exposed on the same fetched hostname are provided. In case this config is used, we could add this kind of check in ExposedRoutesExtractor::getRoutes() method

if ($route->getHost() !== '' && $route->getHost() !== $requestHost) {
    continue;
}

As an alternative we could allow to provide a matrix of authorized domains for the different hosts. Eg.:

fos_js_routing:
    hosts:
        - admin.myapp.local: ['admin']
        - public.myapp.local: ['default', 'public']

It could be seen as a quick win to avoid disclosure of information. I know it's not that critical as it's just Security through obscurity, but it's always subject to be pointed out by Security audits.

What do you think about that?