Host name verification is not needed
Summary: There's no need to perform host name verification as we use token-based authentication. So, remove it. Original security review: https://docs.google.com/document/d/16iXypCQibPiner061SoaQUFUY9tLVAEpkKfV_hUXI7c/edit#heading=h.kpbj4pk75925 Reviewed By: passy Differential Revision: D49313595 fbshipit-source-id: 9da1eefa87e5b774d653ab2c5db6f95c51af482d
This commit is contained in:
Lorenzo Blasa
committed by
Facebook GitHub Bot
Facebook GitHub Bot
parent
72170f6c75
commit
045ccec154
@@ -188,51 +188,9 @@ async function startHTTPServer(config: Config): Promise<{
|
||||
* incoming connections origin.
|
||||
* @returns Returns the created WS.
|
||||
*/
|
||||
function attachWS(server: http.Server, config: Config) {
|
||||
const localhost = 'localhost';
|
||||
const localhostIPV4 = `localhost:${config.port}`;
|
||||
const localhostIPV6 = `[::1]:${config.port}`;
|
||||
const localhostIPV6NoBrackets = `::1:${config.port}`;
|
||||
const localhostIPV4Electron = 'localhost:3000';
|
||||
|
||||
const possibleHosts = [
|
||||
localhost,
|
||||
localhostIPV4,
|
||||
localhostIPV6,
|
||||
localhostIPV6NoBrackets,
|
||||
localhostIPV4Electron,
|
||||
];
|
||||
const possibleOrigins = possibleHosts
|
||||
.map((host) => `http://${host}`)
|
||||
.concat(['file://']);
|
||||
|
||||
const verifyClient: VerifyClientCallbackSync = ({origin, req}) => {
|
||||
const noOriginHeader = origin === undefined;
|
||||
if (
|
||||
(noOriginHeader || possibleOrigins.includes(origin)) &&
|
||||
req.headers.host &&
|
||||
possibleHosts.includes(req.headers.host)
|
||||
) {
|
||||
// No origin header? The request is not originating from a browser, so should be OK to pass through
|
||||
// If origin matches our own address, it means we are serving the page.
|
||||
|
||||
function attachWS(server: http.Server, _config: Config) {
|
||||
const verifyClient: VerifyClientCallbackSync = ({req}) => {
|
||||
return process.env.SKIP_TOKEN_VERIFICATION ? true : verifyAuthToken(req);
|
||||
} else {
|
||||
// For now we don't allow cross origin request, so that an arbitrary website cannot try to
|
||||
// connect a socket to localhost:serverport, and try to use the all powerful Flipper APIs to read
|
||||
// for example files.
|
||||
// Potentially in the future we do want to allow this, e.g. if we want to connect to a local flipper-server
|
||||
// directly from intern. But before that, we should either authenticate the request somehow,
|
||||
// and discuss security impact and for example scope the files that can be read by Flipper.
|
||||
console.warn(
|
||||
`Refused socket connection from cross domain request, origin: ${origin}, host: ${
|
||||
req.headers.host
|
||||
}. Expected origins: ${possibleOrigins.join(
|
||||
' or ',
|
||||
)}. Expected hosts: ${possibleHosts.join(' or ')}`,
|
||||
);
|
||||
return false;
|
||||
}
|
||||
};
|
||||
|
||||
const options: ServerOptions = {
|
||||
|
||||
Reference in New Issue
Block a user