sam_oneal/dial-reference
1
0
Fork 0
mirror of https://github.com/Netflix/dial-reference.git synced 2026-06-08 02:49:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #31 from Netflix/origin-check

Browse Source 
Enforce origin header check for all request types.
This commit is contained in:
Wesley Miaw
2020-07-02 16:36:10 -07:00
committed by GitHub
parent 72339c2e0c 65855a143a
commit e0495e3593
2 changed files with 102 additions and 55 deletions
Download Patch File Download Diff File Expand all files Collapse all files

87
server/dial_server.c
View File

@@ -625,7 +625,7 @@ static int origin_matches(const char *origin, const char *candidate) {
if (origin_len < candidate_len)
return 0;
fprintf(stderr, "comparing %s to %s len %lld\n", origin, candidate, candidate_len);
fprintf(stderr, "comparing %s to %s len %zu\n", origin, candidate, candidate_len);
return strncmp(origin, candidate, candidate_len - 1) == 0;
}
@@ -712,23 +712,19 @@ static int is_allowed_origin(DIALServer* ds, char * origin, const char * app_nam
#define RUN_URI "/run"
#define HIDE_URI "/hide"
static void *options_response(DIALServer *ds, struct mg_connection *conn, char *host_header, char *origin_header, const char* app_name, const char* methods)
static void *options_response(DIALServer *ds, struct mg_connection *conn, char *origin_header, const char* app_name, const char* methods)
{
if (host_header && is_allowed_origin(ds, origin_header, app_name)) {
mg_printf(
conn,
"HTTP/1.1 204 No Content\r\n"
"Access-Control-Allow-Methods: %s\r\n"
"Access-Control-Max-Age: 86400\r\n"
"Access-Control-Allow-Origin: %s\r\n"
"Content-Length: 0"
"\r\n",
methods,
origin_header);
return "done";
}
mg_send_http_error(conn, 403, "Forbidden", "Forbidden");
return "done";
mg_printf(
conn,
"HTTP/1.1 204 No Content\r\n"
"Access-Control-Allow-Methods: %s\r\n"
"Access-Control-Max-Age: 86400\r\n"
"Access-Control-Allow-Origin: %s\r\n"
"Content-Length: 0"
"\r\n",
methods,
origin_header);
return "done";
}
static void *request_handler(enum mg_event event, struct mg_connection *conn,
@@ -761,20 +757,22 @@ static void *request_handler(enum mg_event event, struct mg_connection *conn,
}
strncpy(app_name, request_info->uri + strlen(APPS_URI), appname_len);
// Check authorized origins.
if (origin_header && !is_allowed_origin(ds, origin_header, app_name)) {
mg_send_http_error(conn, 403, "Forbidden", "Forbidden");
return "done";
}
// Return OPTIONS.
if (!strcmp(request_info->request_method, "OPTIONS")) {
return options_response(ds, conn, host_header, origin_header, app_name, "DELETE, OPTIONS");
return options_response(ds, conn, origin_header, app_name, "DELETE, OPTIONS");
}
// DELETE non-empty app name
if (app_name[0] != '\0'
&& !strcmp(request_info->request_method, "DELETE"))
{
if (host_header && is_allowed_origin(ds, origin_header, app_name)) {
handle_app_stop(conn, request_info, app_name, origin_header);
} else {
mg_send_http_error(conn, 403, "Forbidden", "Forbidden");
return "done";
}
handle_app_stop(conn, request_info, app_name, origin_header);
} else {
mg_send_http_error(conn, 501, "Not Implemented",
"Not Implemented");
@@ -788,18 +786,20 @@ static void *request_handler(enum mg_event event, struct mg_connection *conn,
const char *app_name;
app_name = request_info->uri + strlen(APPS_URI);
// Check authorized origins.
if (origin_header && !is_allowed_origin(ds, origin_header, app_name)) {
mg_send_http_error(conn, 403, "Forbidden", "Forbidden");
return "done";
}
// Return OPTIONS.
if (!strcmp(request_info->request_method, "OPTIONS")) {
return options_response(ds, conn, host_header, origin_header, app_name, "GET, POST, OPTIONS");
return options_response(ds, conn, origin_header, app_name, "GET, POST, OPTIONS");
}
// start app
if (!strcmp(request_info->request_method, "POST")) {
if (host_header && is_allowed_origin(ds, origin_header, app_name)) {
handle_app_start(conn, request_info, app_name, origin_header);
} else {
mg_send_http_error(conn, 403, "Forbidden", "Forbidden");
return "done";
}
handle_app_start(conn, request_info, app_name, origin_header);
// get app status
} else if (!strcmp(request_info->request_method, "GET")) {
handle_app_status(conn, request_info, app_name, origin_header);
@@ -819,10 +819,18 @@ static void *request_handler(enum mg_event event, struct mg_connection *conn,
}
strncpy(app_name, request_info->uri + strlen(APPS_URI), appname_len);
if (!strcmp(request_info->request_method, "OPTIONS")) {
return options_response(ds, conn, host_header, origin_header, app_name, "POST, OPTIONS");
// Check authorized origins.
if (origin_header && !is_allowed_origin(ds, origin_header, app_name)) {
mg_send_http_error(conn, 403, "Forbidden", "Forbidden");
return "done";
}
// Return OPTIONS.
if (!strcmp(request_info->request_method, "OPTIONS")) {
return options_response(ds, conn, origin_header, app_name, "POST, OPTIONS");
}
// hide app
if (app_name[0] != '\0' && !strcmp(request_info->request_method, "POST")) {
handle_app_hide(conn, request_info, app_name, origin_header);
} else {
@@ -840,11 +848,20 @@ static void *request_handler(enum mg_event event, struct mg_connection *conn,
if (app_name == NULL) {
mg_send_http_error(conn, 500, "Internal Error", "Internal Error");
} else {
// Check authorized origins (still applicable via loopback).
if (origin_header && !is_allowed_origin(ds, origin_header, app_name)) {
mg_send_http_error(conn, 403, "Forbidden", "Forbidden");
return "done";
}
// Return OPTIONS.
if (!strcmp(request_info->request_method, "OPTIONS")) {
void *ret = options_response(ds, conn, host_header, origin_header, app_name, "POST, OPTIONS");
void *ret = options_response(ds, conn, origin_header, app_name, "POST, OPTIONS");
free(app_name);
return ret;
}
// deliver data payload
int use_payload = strcmp(request_info->request_method, "POST") ? 0 : 1;
handle_dial_data(conn, request_info, app_name, origin_header,
use_payload);

70
server/tests/test_cors.sh
View File

@@ -11,61 +11,91 @@ port=$2
#Testing all the positive cases
origins="https://www.netflix.com https://netflix.com https://port.netflix.com:123 https://www.netflix.com:80 https://www.netflix.com:123 proto://netflix.com proto://netflix proto://netflix.com:123"
for origin in $origins; do
curl --fail --silent --header "Origin:$origin" --data "v=QH2-TGUlwu4" http://$ip_address:$port/apps/Netflix || echo "failed: $origin should be accepted"
curl --fail --silent --header "Origin:$origin" -X OPTIONS http://$ip_address:$port/apps/Netflix || echo "failed: $origin should be accepted"
curl --fail --silent --header "Origin:$origin" -X OPTIONS http://$ip_address:$port/apps/Netflix/run || echo "failed: $origin should be accepted"
curl --output /dev/null --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X GET http://$ip_address:$port/apps/Netflix | grep -q "403" && echo "failed[p0]: $origin should be accepted"
curl --output /dev/null --fail --silent --header "Origin:$origin" --data "v=QH2-TGUlwu4" -X POST http://$ip_address:$port/apps/Netflix || echo "failed[p1]: $origin should be accepted"
curl --output /dev/null --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X OPTIONS http://$ip_address:$port/apps/Netflix | grep -q "403" && echo "failed[p2]: $origin should be accepted"
curl --output /dev/null --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X GET http://$ip_address:$port/apps/Netflix | grep -q "403" && echo "failed[p3]: $origin should be accepted"
curl --output /dev/null --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X OPTIONS http://$ip_address:$port/apps/Netflix/run | grep -q "403" && echo "failed[p4]: $origin should be accepted"
curl --output /dev/null --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X DELETE http://$ip_address:$port/apps/Netflix/run | grep -q "403" && echo "failed[p5]: $origin should be accepted"
curl --output /dev/null --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X GET http://$ip_address:$port/apps/Netflix/run/hide | grep -q "403" && echo "failed[p6]: $origin should be accepted"
curl --output /dev/null --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X OPTIONS http://$ip_address:$port/apps/Netflix/run/hide | grep -q "403" && echo "failed[p7]: $origin should be accepted"
if [ $ip_address == "localhost" ];
then
echo "testing dial_data OPTIONS on $ip_address from origin $origin"
curl --fail --silent --header "Origin:$origin" -X OPTIONS http://$ip_address:$port/apps/Netflix/dial_data || echo "failed: $origin should be accepted"
curl --output /dev/null --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X OPTIONS http://$ip_address:$port/apps/Netflix/dial_data | grep -q "403" && echo "failed[p8]: $origin should be accepted"
curl --output /dev/null --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X GET http://$ip_address:$port/apps/Netflix/dial_data | grep -q "403" && echo "failed[p9]: $origin should be accepted"
fi
done
origins="https://www.youtube.com https://music.youtube.com https://youtube.com https://port.youtube.com:123 https://www.youtube.com:80 https://www.youtube.com:123 package:com.google.android.youtube package:com.google.ios.youtube proto:g proto:com.google"
for origin in $origins; do
curl --fail --silent --header "Origin:$origin" --data "v=QH2-TGUlwu4" http://$ip_address:$port/apps/YouTube || echo "failed: $origin should be accepted"
curl --fail --silent --header "Origin:$origin" -X OPTIONS http://$ip_address:$port/apps/YouTube || echo "failed: $origin should be accepted"
curl --fail --silent --header "Origin:$origin" -X OPTIONS http://$ip_address:$port/apps/YouTube/run || echo "failed: $origin should be accepted"
curl --output /dev/null --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X GET http://$ip_address:$port/apps/YouTube | grep -q "403" && echo "failed[p10]: $origin should be accepted"
curl --output /dev/null --fail --silent --header "Origin:$origin" --data "v=QH2-TGUlwu4" -X POST http://$ip_address:$port/apps/YouTube || echo "failed[p11]: $origin should be accepted"
curl --output /dev/null --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X OPTIONS http://$ip_address:$port/apps/YouTube | grep -q "403" && echo "failed[p12]: $origin should be accepted"
curl --output /dev/null --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X GET http://$ip_address:$port/apps/YouTube | grep -q "403" && echo "failed[p13]: $origin should be accepted"
curl --output /dev/null --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X OPTIONS http://$ip_address:$port/apps/YouTube/run | grep -q "403" && echo "failed[p14]: $origin should be accepted"
curl --output /dev/null --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X DELETE http://$ip_address:$port/apps/YouTube/run | grep -q "403" && echo "failed[p15]: $origin should be accepted"
curl --output /dev/null --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X GET http://$ip_address:$port/apps/YouTube/run/hide | grep -q "403" && echo "failed[p16]: $origin should be accepted"
curl --output /dev/null --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X OPTIONS http://$ip_address:$port/apps/YouTube/run/hide | grep -q "403" && echo "failed[p17]: $origin should be accepted"
if [ $ip_address == "localhost" ];
then
echo "testing dial_data OPTIONS on $ip_address from origin $origin"
curl --fail --silent --header "Origin:$origin" -X OPTIONS http://$ip_address:$port/apps/YouTube/dial_data || echo "failed: $origin should be accepted"
curl --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X OPTIONS http://$ip_address:$port/apps/YouTube/dial_data | grep -q "403" && echo "failed[p18]: $origin should be accepted"
curl --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X GET http://$ip_address:$port/apps/YouTube/dial_data | grep -q "403" && echo "failed[p19]: $origin should be accepted"
fi
done
#Testing all the negative cases
origins="http://www.netflix-a.com http://www.netflix.com4 http://a-netflix.com http://www4.netflix.com https://port.netflix.com:1234 http://1.netflix.com https://www4.netflix.com https://ww.netflix-a.com https://www.netflix.com4 https://a-netflix.com http://netflix.com http://www.attack.com https://www.attack.com file://www.attack.com ftp://this.is.not.fine package: package:com.netflix.null proto:// proto:n proto:/n proto"
for origin in $origins; do
curl --fail --silent --header "Origin:$origin" --data "v=QH2-TGUlwu4" http://$ip_address:$port/apps/Netflix && echo "failed: $origin should be rejected"
curl --fail --silent --header "Origin:$origin" -X OPTIONS http://$ip_address:$port/apps/Netflix && echo "failed: $origin should be rejected"
curl --fail --silent --header "Origin:$origin" -X OPTIONS http://$ip_address:$port/apps/Netflix/run && echo "failed: $origin should be rejected"
curl --output /dev/null --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X GET http://$ip_address:$port/apps/Netflix | grep -q "403" || echo "failed[n0]: $origin should be rejected"
curl --output /dev/null --fail --silent --header "Origin:$origin" --data "v=QH2-TGUlwu4" -X POST http://$ip_address:$port/apps/Netflix && echo "failed[n1]: $origin should be rejected"
curl --output /dev/null --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X OPTIONS http://$ip_address:$port/apps/Netflix | grep -q "403" || echo "failed[n2]: $origin should be rejected"
curl --output /dev/null --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X GET http://$ip_address:$port/apps/Netflix | grep -q "403" || echo "failed[n3]: $origin should be rejected"
curl --output /dev/null --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X OPTIONS http://$ip_address:$port/apps/Netflix/run | grep -q "403" || echo "failed[n4]: $origin should be rejected"
curl --output /dev/null --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X DELETE http://$ip_address:$port/apps/Netflix/run | grep -q "403" || echo "failed[n5]: $origin should be rejected"
curl --output /dev/null --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X GET http://$ip_address:$port/apps/Netflix/run | grep -q "403" || echo "failed[n6]: $origin should be rejected"
curl --output /dev/null --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X OPTIONS http://$ip_address:$port/apps/Netflix/run/hide | grep -q "403" || echo "failed[n7]: $origin should be rejected"
if [ $ip_address == "localhost" ];
then
echo "testing dial_data OPTIONS on $ip_address from origin $origin"
curl --fail --silent --header "Origin:$origin" -X OPTIONS http://$ip_address:$port/apps/Netflix/dial_data && echo "failed: $origin should be rejected"
curl --output /dev/null --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X OPTIONS http://$ip_address:$port/apps/Netflix/dial_data | grep -q "403" || echo "failed[n8]: $origin should be rejected"
curl --output /dev/null --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X GET http://$ip_address:$port/apps/Netflix/dial_data | grep -q "403" || echo "failed[n9]: $origin should be rejected"
fi
done
origins="http://www.youtube-a.com http://www.youtube.com4 https://.youtube.com http://a-youtube.com https://ww.youtube-a.com http://www4.youtube.com https://port.youtube.com:1234 http://1.youtube.com https://www.youtube.com4 https://a-youtube.com http://youtube.com http://www.attack.com https://www.attack.com file://www.attack.com ftp://this.is.not.fine packagecom.google.android.youtube package:com.google.android.utube packagea package: pack:com.google.android protoa proto:"
for origin in $origins; do
curl --fail --silent --header "Origin:$origin" --data "v=QH2-TGUlwu4" http://$ip_address:$port/apps/YouTube && echo "failed: $origin should be rejected"
curl --fail --silent --header "Origin:$origin" -X OPTIONS http://$ip_address:$port/apps/YouTube && echo "failed: $origin should be rejected"
curl --fail --silent --header "Origin:$origin" -X OPTIONS http://$ip_address:$port/apps/YouTube/run && echo "failed: $origin should be rejected"
curl --output /dev/null --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X GET http://$ip_address:$port/apps/YouTube | grep -q "403" || echo "failed[n10]: $origin should be rejected"
curl --output /dev/null --fail --silent --header "Origin:$origin" --data "v=QH2-TGUlwu4" -X POST http://$ip_address:$port/apps/YouTube && echo "failed[n11]: $origin should be rejected"
curl --output /dev/null --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X OPTIONS http://$ip_address:$port/apps/YouTube | grep -q "403" || echo "failed[n12]: $origin should be rejected"
curl --output /dev/null --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X GET http://$ip_address:$port/apps/YouTube | grep -q "403" || echo "failed[n13]: $origin should be rejected"
curl --output /dev/null --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X OPTIONS http://$ip_address:$port/apps/YouTube/run | grep -q "403" || echo "failed[n14]: $origin should be rejected"
curl --output /dev/null --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X DELETE http://$ip_address:$port/apps/YouTube/run | grep -q "403" || echo "failed[n15]: $origin should be rejected"
curl --output /dev/null --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X GET http://$ip_address:$port/apps/YouTube/run | grep -q "403" || echo "failed[n16]: $origin should be rejected"
curl --output /dev/null --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X OPTIONS http://$ip_address:$port/apps/YouTube/run/hide | grep -q "403" || echo "failed[n17]: $origin should be rejected"
if [ $ip_address == "localhost" ];
then
echo "testing dial_data OPTIONS on $ip_address from origin $origin"
curl --fail --silent --header "Origin:$origin" -X OPTIONS http://$ip_address:$port/apps/YouTube/dial_data && echo "failed: $origin should be rejected"
curl --output /dev/null --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X OPTIONS http://$ip_address:$port/apps/YouTube/dial_data | grep -q "403" || echo "failed[n18]: $origin should be rejected"
curl --output /dev/null --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X GET http://$ip_address:$port/apps/YouTube/dial_data | grep -q "403" || echo "failed[n19]: $origin should be rejected"
fi
done
#Finally test with no header
curl --fail --silent --data "v=QH2-TGUlwu4" http://$ip_address:$port/apps/YouTube || echo "failed: request without an Origin should be accepted"
curl --fail --silent -X OPTIONS http://$ip_address:$port/apps/YouTube || echo "failed: request without an Origin should be accepted"
curl --fail --silent -X OPTIONS http://$ip_address:$port/apps/YouTube/run || echo "failed: request without an Origin should be accepted"
curl --output /dev/null --fail --silent -I -w "%{http_code}" -X GET http://$ip_address:$port/apps/YouTube | grep -q "403" && echo "failed[o0]: request without an Origin should be accepted"
curl --output /dev/null --fail --silent --data "v=QH2-TGUlwu4" -X POST http://$ip_address:$port/apps/YouTube || echo "failed[o1]: request without an Origin should be accepted"
curl --output /dev/null --fail --silent -I -w "%{http_code}" -X OPTIONS http://$ip_address:$port/apps/YouTube | grep -q "403" && echo "failed[o2]: request without an Origin should be accepted"
curl --output /dev/null --fail --silent -I -w "%{http_code}" -X GET http://$ip_address:$port/apps/YouTube | grep -q "403" && echo "failed[o3]: request without an Origin should be accepted"
curl --output /dev/null --fail --silent -I -w "%{http_code}" -X OPTIONS http://$ip_address:$port/apps/YouTube/run | grep -q "403" && echo "failed[o4]: request without an Origin should be accepted"
curl --output /dev/null --fail --silent -I -w "%{http_code}" -X DELETE http://$ip_address:$port/apps/YouTube/run | grep -q "403" && echo "failed[o5]: request without an Origin should be accepted"
curl --output /dev/null --fail --silent -I -w "%{http_code}" -X GET http://$ip_address:$port/apps/YouTube/run/hide | grep -q "403" && echo "failed[o6]: request without an Origin should be accepted"
curl --output /dev/null --fail --silent -I -w "%{http_code}" -X OPTIONS http://$ip_address:$port/apps/YouTube/run/hide | grep -q "403" && echo "failed[o7]: request without an Origin should be accepted"
if [ $ip_address == "localhost" ];
then
echo "testing dial_data OPTIONS on $ip_address with no origin"
curl --fail --silent -X OPTIONS http://$ip_address:$port/apps/YouTube/dial_data || echo "failed: request without an Origin should be accepted"
curl --output /dev/null --fail --silent -I -w "%{http_code}" -X OPTIONS http://$ip_address:$port/apps/YouTube/dial_data | grep -q "403" && echo "failed[o8]: request without an Origin should be accepted"
curl --output /dev/null --fail --silent -I -w "%{http_code}" -X GET http://$ip_address:$port/apps/YouTube/dial_data | grep -q "403" && echo "failed[o9]: request without an Origin should be accepted"
fi
echo "Done."