From d7fc17c12e87d2ee4cd1ac130a7c34131e669890 Mon Sep 17 00:00:00 2001
From: Pola Abram <pola@fb.com>
Date: Wed, 3 Mar 2021 07:52:58 -0800
Subject: [PATCH] Move list of valid origin prefixes for incoming WebSocket
 requests to a constant

Summary: Create a constant to hold all valid origin prefixes, for incoming WebSocket requests. This is to make it easier to add additional origins.

Reviewed By: mweststrate

Differential Revision: D26778708

fbshipit-source-id: b89bd8c8d8925b2863f12c319c6ecbeeb265fc42
---
 desktop/app/src/fb-stubs/constants.tsx | 8 ++++++++
 desktop/app/src/server.tsx             | 8 +++-----
 2 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/desktop/app/src/fb-stubs/constants.tsx b/desktop/app/src/fb-stubs/constants.tsx
index ec49417ba..2be65a55c 100644
--- a/desktop/app/src/fb-stubs/constants.tsx
+++ b/desktop/app/src/fb-stubs/constants.tsx
@@ -42,4 +42,12 @@ export default Object.freeze({
   },
 
   SUPPORT_GROUPS: [],
+
+  // Only WebSocket requests from the following origin prefixes will be accepted
+  VALID_WEB_SOCKET_REQUEST_ORIGIN_PREFIXES: [
+    'chrome-extension://',
+    'localhost:',
+    'http://localhost:',
+    'app://',
+  ],
 });
diff --git a/desktop/app/src/server.tsx b/desktop/app/src/server.tsx
index df2a69661..9de5044e7 100644
--- a/desktop/app/src/server.tsx
+++ b/desktop/app/src/server.tsx
@@ -26,6 +26,7 @@ import invariant from 'invariant';
 import tls from 'tls';
 import net, {Socket} from 'net';
 import {Responder, Payload, ReactiveSocket} from 'rsocket-types';
+import constants from './fb-stubs/constants';
 import GK from './fb-stubs/GK';
 import {initJsEmulatorIPC} from './utils/js-client-server-utils/serverUtils';
 import {buildClientId} from './utils/clientUtils';
@@ -184,11 +185,8 @@ class Server extends EventEmitter {
         req: IncomingMessage;
         secure: boolean;
       }) => {
-        return (
-          info.origin.startsWith('chrome-extension://') ||
-          info.origin.startsWith('localhost:') ||
-          info.origin.startsWith('http://localhost:') ||
-          info.origin.startsWith('app://')
+        return constants.VALID_WEB_SOCKET_REQUEST_ORIGIN_PREFIXES.some(
+          (validPrefix) => info.origin.startsWith(validPrefix),
         );
       },
     });