jens/flipper
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Make sure only requests from own host & port are accepted for now

Browse Source 
Summary: Make sure the flipper server socket only accepts local connections

Reviewed By: aigoncharov

Differential Revision: D33020251

fbshipit-source-id: 53e95e4871a45f3a3fa14f999499568a5a6b4995
This commit is contained in:
Michel Weststrate
2021-12-13 05:46:42 -08:00
committed by Facebook GitHub Bot
parent 9e09c0d5f7
commit 5564251aac
1 changed files with 14 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
desktop/flipper-server/src/startBaseServer.tsx
View File

@@ -26,7 +26,7 @@ export async function startBaseServer(config: Config): Promise<{
socket: socketio.Server; socket: socketio.Server;
}> { }> {
const {app, server} = await startAssetServer(config); const {app, server} = await startAssetServer(config);
const socket = addWebsocket(server); const socket = addWebsocket(server, config);
return { return {
app, app,
server, server,
@@ -61,9 +61,21 @@ function startAssetServer(
}); });
} }
function addWebsocket(server: http.Server) { function addWebsocket(server: http.Server, config: Config) {
const validHost = `localhost:${config.port}`;
const io = new socketio.Server(server, { const io = new socketio.Server(server, {
maxHttpBufferSize: WEBSOCKET_MAX_MESSAGE_SIZE, maxHttpBufferSize: WEBSOCKET_MAX_MESSAGE_SIZE,
allowRequest(req, callback) {
const noOriginHeader = req.headers.origin === undefined;
if (noOriginHeader && req.headers.host === validHost) {
callback(null, true);
} else {
console.warn(
`Refused sockect connection from cross domain request, origin: ${req.headers.origin}, host: ${req.headers.host}. Expected: ${validHost}`,
);
callback(null, false);
}
},
}); });
return io; return io;
} }