From 06b079ba53d5e2aec502f84ac679b52055ffc5ad Mon Sep 17 00:00:00 2001 From: Marcin Rataj Date: Tue, 17 Dec 2019 02:11:35 +0100 Subject: [PATCH] fix: limit SW registration to content root Introduces hardening proposed in: https://github.com/ipfs/go-ipfs/issues/4025#issuecomment-342250616 License: MIT Signed-off-by: Marcin Rataj --- core/corehttp/gateway_handler.go | 13 +++++++++++++ test/sharness/t0110-gateway.sh | 7 +++++++ 2 files changed, 20 insertions(+) diff --git a/core/corehttp/gateway_handler.go b/core/corehttp/gateway_handler.go index d3cca5d3db04..a828b9f5f5e7 100644 --- a/core/corehttp/gateway_handler.go +++ b/core/corehttp/gateway_handler.go @@ -8,6 +8,7 @@ import ( "net/http" "net/url" gopath "path" + "regexp" "runtime/debug" "strings" "time" @@ -151,6 +152,18 @@ func (i *gatewayHandler) getOrHeadHandler(w http.ResponseWriter, r *http.Request ipnsHostname = true } + // Service Worker registration request + if r.Header.Get("Service-Worker") == "script" { + // Disallow Service Worker registration on namespace roots + // https://github.com/ipfs/go-ipfs/issues/4025 + matched, _ := regexp.MatchString(`^/ip[fn]s/[^/]+$`, r.URL.Path) + if matched { + err := fmt.Errorf("registration is not allowed for this scope") + webError(w, "navigator.serviceWorker", err, http.StatusBadRequest) + return + } + } + parsedPath := ipath.New(urlPath) if err := parsedPath.IsValid(); err != nil { webError(w, "invalid ipfs path", err, http.StatusBadRequest) diff --git a/test/sharness/t0110-gateway.sh b/test/sharness/t0110-gateway.sh index 26726f1d5e2d..68172cb56554 100755 --- a/test/sharness/t0110-gateway.sh +++ b/test/sharness/t0110-gateway.sh @@ -36,6 +36,13 @@ test_expect_success "GET IPFS path with explicit filename succeeds with proper h grep -F \"Content-Disposition: inline; filename*=UTF-8''test%D1%82%D0%B5%D1%81%D1%82\" actual_headers " +# https://github.com/ipfs/go-ipfs/issues/4025#issuecomment-342250616 +test_expect_success "GET for Service Worker registration outside of an IPFS content root errors" " + curl -H 'Service-Worker: script' -svX GET 'http://127.0.0.1:$port/ipfs/$HASH?filename=sw.js' > curl_sw_out 2>&1 && + grep 'HTTP/1.1 400 Bad Request' curl_sw_out && + grep 'navigator.serviceWorker: registration is not allowed for this scope' curl_sw_out +" + test_expect_success "GET IPFS path output looks good" ' test_cmp expected actual && rm actual