Skip to content

Commit

Permalink
Filestore: Disable config.Filestore.APIServerSidePaths for now.
Browse files Browse the repository at this point in the history
Disable config.Filestore.APIServerSidePaths for now due to security concerns.

License: MIT
Signed-off-by: Kevin Atkinson <[email protected]>
  • Loading branch information
kevina committed Oct 15, 2016
1 parent e74f619 commit 241d10d
Show file tree
Hide file tree
Showing 6 changed files with 74 additions and 64 deletions.
2 changes: 1 addition & 1 deletion core/commands/filestore.go
Original file line number Diff line number Diff line change
Expand Up @@ -99,7 +99,7 @@ same as for 'ipfs add'.
}
config, _ := req.InvocContext().GetConfig()
serverSide, _, _ := req.Option("server-side").Bool()
if serverSide && !config.Filestore.APIServerSidePaths {
if serverSide && !config.Filestore.APIServerSidePathsEnabled() {
res.SetError(errors.New("server side paths not enabled"), cmds.ErrNormal)
return
}
Expand Down
31 changes: 31 additions & 0 deletions filestore/README-also.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
## Server side adds

**Note: Server side adds are currently disabled in the code due to
security concerns. If you wish to enable this feature you will need
to compile IPFS from source and modify `repo/config/datastore.go`.**

When adding a file when the daemon is online. The client sends both
the file contents and path to the server, and the server will then
verify that the same content is available via the specified path by
reading the file again on the server side. To avoid this extra
overhead and allow directories to be added when the daemon is
online server side paths can be used.

To use this feature you must first enable API.ServerSideAdds using:
```
ipfs config Filestore.APIServerSidePaths --bool true
```
*This option should be used with care since it will allow anyone with
access to the API Server access to any files that the daemon has
permission to read.* For security reasons it is probably best to only
enable this on a single user system and to make sure the API server is
configured to the default value of only binding to the localhost
(`127.0.0.1`).

With the `Filestore.APIServerSidePaths` option enabled you can add
files using `filestore add -S`. For example, to add the file
`hello.txt` in the current directory use:
```
ipfs filestore add -S -P hello.txt
```

27 changes: 0 additions & 27 deletions filestore/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -88,33 +88,6 @@ The `add-dir` script if fairly simple way to keep a directly in sync.
A more sophisticated application could use i-notify or a similar
interface to re-add files as they are changed.

## Server side adds

When adding a file when the daemon is online. The client sends both
the file contents and path to the server, and the server will then
verify that the same content is available via the specified path by
reading the file again on the server side. To avoid this extra
overhead and allow directories to be added when the daemon is
online server side paths can be used.

To use this feature you must first enable API.ServerSideAdds using:
```
ipfs config Filestore.APIServerSidePaths --bool true
```
*This option should be used with care since it will allow anyone with
access to the API Server access to any files that the daemon has
permission to read.* For security reasons it is probably best to only
enable this on a single user system and to make sure the API server is
configured to the default value of only binding to the localhost
(`127.0.0.1`).

With the `Filestore.APIServerSidePaths` option enabled you can add
files using `filestore add -S`. For example, to add the file
`hello.txt` in the current directory use:
```
ipfs filestore add -S -P hello.txt
```

## Listing and verifying blocks

To list the contents of the filestore use the command `filestore ls`,
Expand Down
2 changes: 1 addition & 1 deletion filestore/util/move.go
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@ import (

func ConvertToFile(node *core.IpfsNode, k *cid.Cid, path string) error {
config, _ := node.Repo.Config()
if !node.LocalMode() && (config == nil || !config.Filestore.APIServerSidePaths) {
if !node.LocalMode() && (config == nil || !config.Filestore.APIServerSidePathsEnabled()) {
return errs.New("Daemon is running and server side paths are not enabled.")
}
if !filepath.IsAbs(path) {
Expand Down
8 changes: 7 additions & 1 deletion repo/config/datastore.go
Original file line number Diff line number Diff line change
Expand Up @@ -43,5 +43,11 @@ func DataStorePath(configroot string) (string, error) {

type Filestore struct {
Verify string // one of "always", "ifchanged", "never"
APIServerSidePaths bool
// Note: APIServerSidePath Disabled due to security concerns
//APIServerSidePaths bool
}

func (c *Filestore) APIServerSidePathsEnabled() bool {
//return c.APIServerSidePaths
return false;
}
68 changes: 34 additions & 34 deletions test/sharness/lib/test-filestore-lib.sh
Original file line number Diff line number Diff line change
Expand Up @@ -377,52 +377,52 @@ filestore_test_w_daemon() {
test -z "`ipfs filestore ls -q`"
'

test_expect_success "enable Filestore.APIServerSidePaths" '
ipfs config Filestore.APIServerSidePaths --bool true
'
# test_expect_success "enable Filestore.APIServerSidePaths" '
# ipfs config Filestore.APIServerSidePaths --bool true
# '

test_launch_ipfs_daemon $opt
# test_launch_ipfs_daemon $opt

test_add_cat_file "filestore add -S" "`pwd`"
# test_add_cat_file "filestore add -S" "`pwd`"

test_post_add "filestore add -S" "`pwd`"
# test_post_add "filestore add -S" "`pwd`"

test_add_empty_file "filestore add -S" "`pwd`"
# test_add_empty_file "filestore add -S" "`pwd`"

test_add_cat_5MB "filestore add -S" "`pwd`"
# test_add_cat_5MB "filestore add -S" "`pwd`"

test_add_mulpl_files "filestore add -S"
# test_add_mulpl_files "filestore add -S"

cat <<EOF > add_expect
added QmQhAyoEzSg5JeAzGDCx63aPekjSGKeQaYs4iRf4y6Qm6w adir
added QmSr7FqYkxYWGoSfy8ZiaMWQ5vosb18DQGCzjwEQnVHkTb `pwd`/adir/file3
added QmVr26fY1tKyspEJBniVhqxQeEjhF78XerGiqWAwraVLQH `pwd`/adir/file1
added QmZm53sWMaAQ59x56tFox8X9exJFELWC33NLjK6m8H7CpN `pwd`/adir/file2
EOF
# cat <<EOF > add_expect
# added QmQhAyoEzSg5JeAzGDCx63aPekjSGKeQaYs4iRf4y6Qm6w adir
# added QmSr7FqYkxYWGoSfy8ZiaMWQ5vosb18DQGCzjwEQnVHkTb `pwd`/adir/file3
# added QmVr26fY1tKyspEJBniVhqxQeEjhF78XerGiqWAwraVLQH `pwd`/adir/file1
# added QmZm53sWMaAQ59x56tFox8X9exJFELWC33NLjK6m8H7CpN `pwd`/adir/file2
# EOF

test_expect_success "testing filestore add -S -r" '
mkdir adir &&
echo "Hello Worlds!" > adir/file1 &&
echo "HELLO WORLDS!" > adir/file2 &&
random 5242880 41 > adir/file3 &&
ipfs filestore add -S -r "`pwd`/adir" | LC_ALL=C sort > add_actual &&
test_cmp add_expect add_actual &&
ipfs cat QmVr26fY1tKyspEJBniVhqxQeEjhF78XerGiqWAwraVLQH > cat_actual
test_cmp adir/file1 cat_actual
'
# test_expect_success "testing filestore add -S -r" '
# mkdir adir &&
# echo "Hello Worlds!" > adir/file1 &&
# echo "HELLO WORLDS!" > adir/file2 &&
# random 5242880 41 > adir/file3 &&
# ipfs filestore add -S -r "`pwd`/adir" | LC_ALL=C sort > add_actual &&
# test_cmp add_expect add_actual &&
# ipfs cat QmVr26fY1tKyspEJBniVhqxQeEjhF78XerGiqWAwraVLQH > cat_actual
# test_cmp adir/file1 cat_actual
# '

test_expect_success "filestore mv" '
HASH=QmQHRQ7EU8mUXLXkvqKWPubZqtxYPbwaqYo6NXSfS9zdCc &&
test_must_fail ipfs filestore mv $HASH "mountdir/bigfile-42-also" &&
ipfs filestore mv $HASH "`pwd`/mountdir/bigfile-42-also"
'
# test_expect_success "filestore mv" '
# HASH=QmQHRQ7EU8mUXLXkvqKWPubZqtxYPbwaqYo6NXSfS9zdCc &&
# test_must_fail ipfs filestore mv $HASH "mountdir/bigfile-42-also" &&
# ipfs filestore mv $HASH "`pwd`/mountdir/bigfile-42-also"
# '

filestore_test_exact_paths '-S'
# filestore_test_exact_paths '-S'

test_add_symlinks '-S'
# test_add_symlinks '-S'

test_add_dir_w_symlinks '-S'
# test_add_dir_w_symlinks '-S'

test_kill_ipfs_daemon
# test_kill_ipfs_daemon

}

0 comments on commit 241d10d

Please sign in to comment.