Skip to content

Commit

Permalink
fix: limit SW registration to content root
Browse files Browse the repository at this point in the history
Introduces hardening proposed in:
#4025 (comment)

License: MIT
Signed-off-by: Marcin Rataj <lidel@lidel.org>
  • Loading branch information
lidel authored and Stebalien committed Jan 17, 2020
1 parent 9aa2f07 commit 455e498
Show file tree
Hide file tree
Showing 2 changed files with 20 additions and 0 deletions.
13 changes: 13 additions & 0 deletions core/corehttp/gateway_handler.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ import (
"net/http"
"net/url"
gopath "path"
"regexp"
"runtime/debug"
"strings"
"time"
Expand Down Expand Up @@ -151,6 +152,18 @@ func (i *gatewayHandler) getOrHeadHandler(w http.ResponseWriter, r *http.Request
ipnsHostname = true
}

// Service Worker registration request
if r.Header.Get("Service-Worker") == "script" {
// Disallow Service Worker registration on namespace roots
// https://github.com/ipfs/go-ipfs/issues/4025
matched, _ := regexp.MatchString(`^/ip[fn]s/[^/]+$`, r.URL.Path)
if matched {
err := fmt.Errorf("registration is not allowed for this scope")
webError(w, "navigator.serviceWorker", err, http.StatusBadRequest)
return
}
}

parsedPath := ipath.New(urlPath)
if err := parsedPath.IsValid(); err != nil {
webError(w, "invalid ipfs path", err, http.StatusBadRequest)
Expand Down
7 changes: 7 additions & 0 deletions test/sharness/t0110-gateway.sh
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,13 @@ test_expect_success "GET IPFS path with explicit filename succeeds with proper h
grep -F \"Content-Disposition: inline; filename*=UTF-8''test%D1%82%D0%B5%D1%81%D1%82\" actual_headers
"

# https://github.com/ipfs/go-ipfs/issues/4025#issuecomment-342250616
test_expect_success "GET for Service Worker registration outside of an IPFS content root errors" "
curl -H 'Service-Worker: script' -svX GET 'http://127.0.0.1:$port/ipfs/$HASH?filename=sw.js' > curl_sw_out 2>&1 &&
grep 'HTTP/1.1 400 Bad Request' curl_sw_out &&
grep 'navigator.serviceWorker: registration is not allowed for this scope' curl_sw_out
"

test_expect_success "GET IPFS path output looks good" '
test_cmp expected actual &&
rm actual
Expand Down

0 comments on commit 455e498

Please sign in to comment.