From 816ab825b1451fe0c05fb7632b5ea9e81240df1d Mon Sep 17 00:00:00 2001 From: Lars Gierth Date: Fri, 8 Jul 2016 21:36:38 +0200 Subject: [PATCH 1/2] test: actually use downloaded gx binary, clean up obsolete variable License: MIT Signed-off-by: Lars Gierth --- test/Makefile | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/test/Makefile b/test/Makefile index 11c380814be..1408d0c4921 100644 --- a/test/Makefile +++ b/test/Makefile @@ -7,8 +7,6 @@ RANDOM_FILES_SRC = ../Godeps/_workspace/src/github.com/jbenet/go-random-files POLLENDPOINT_SRC= ../thirdparty/pollEndpoint GOSLEEP_SRC = ./dependencies/go-sleep -GX_RELATIVE_PATH = gx/ipfs - export PATH := ../bin:${PATH} # User might want to override those on the command line @@ -53,16 +51,16 @@ bin/go-sleep: $(call find_go_files, $(GOSLEEP_SRC)) IPFS-BUILD-OPTIONS # gx dependencies multihash_src: - $(eval MULTIHASH_HASH := $(shell cd .. && gx deps find go-multihash)) - $(eval MULTIHASH_SRC := $(GX_RELATIVE_PATH)/$(MULTIHASH_HASH)/go-multihash) + $(eval MULTIHASH_HASH := $(shell cd .. && bin/gx deps find go-multihash)) + $(eval MULTIHASH_SRC := gx/ipfs/$(MULTIHASH_HASH)/go-multihash) bin/multihash: multihash_src $(call find_go_files, $(MULTIHASH_SRC)) IPFS-BUILD-OPTIONS @echo "*** installing $@ ***" go build $(GOFLAGS) -o bin/multihash $(MULTIHASH_SRC)/multihash iptb_src: - $(eval IPTB_HASH := $(shell cd .. && gx deps find iptb)) - $(eval IPTB_SRC := $(GX_RELATIVE_PATH)/$(IPTB_HASH)/iptb) + $(eval IPTB_HASH := $(shell cd .. && bin/gx deps find iptb)) + $(eval IPTB_SRC := gx/ipfs/$(IPTB_HASH)/iptb) bin/iptb: iptb_src $(call find_go_files, $(IPTB_SRC)) IPFS-BUILD-OPTIONS @echo "*** installing $@ ***" From 421add3d18d00ac62ad1a807f405574d4380710d Mon Sep 17 00:00:00 2001 From: Lars Gierth Date: Fri, 8 Jul 2016 23:42:48 +0200 Subject: [PATCH 2/2] daemon: reintroduce --unrestricted-api License: MIT Signed-off-by: Lars Gierth --- cmd/ipfs/daemon.go | 17 +++++++++++++-- test/sharness/t0110-gateway.sh | 4 ---- test/sharness/t0400-api-security.sh | 32 +++++++++++++++++++++++++++++ 3 files changed, 47 insertions(+), 6 deletions(-) create mode 100755 test/sharness/t0400-api-security.sh diff --git a/cmd/ipfs/daemon.go b/cmd/ipfs/daemon.go index 5eea1595b82..39a7dd1bc2e 100644 --- a/cmd/ipfs/daemon.go +++ b/cmd/ipfs/daemon.go @@ -134,7 +134,7 @@ Headers. cmds.BoolOption(writableKwd, "Enable writing objects (with POST, PUT and DELETE)").Default(false), cmds.StringOption(ipfsMountKwd, "Path to the mountpoint for IPFS (if using --mount). Defaults to config setting."), cmds.StringOption(ipnsMountKwd, "Path to the mountpoint for IPNS (if using --mount). Defaults to config setting."), - cmds.BoolOption(unrestrictedApiAccessKwd, "This option has no effect since v0.4.3").Default(false), + cmds.BoolOption(unrestrictedApiAccessKwd, "Allow API access to unlisted hashes").Default(false), cmds.BoolOption(unencryptTransportKwd, "Disable transport encryption (for debugging protocols)").Default(false), cmds.BoolOption(enableGCKwd, "Enable automatic periodic repo garbage collection").Default(false), cmds.BoolOption(adjustFDLimitKwd, "Check and raise file descriptor limits if needed").Default(true), @@ -363,11 +363,24 @@ func serveHTTPApi(req cmds.Request) (error, <-chan error) { apiMaddr = apiLis.Multiaddr() fmt.Printf("API server listening on %s\n", apiMaddr) + // by default, we don't let you load arbitrary ipfs objects through the api, + // because this would open up the api to scripting vulnerabilities. + // only the webui objects are allowed. + // if you know what you're doing, go ahead and pass --unrestricted-api. + unrestricted, _, err := req.Option(unrestrictedApiAccessKwd).Bool() + if err != nil { + return fmt.Errorf("serveHTTPApi: Option(%s) failed: %s", unrestrictedApiAccessKwd, err), nil + } + gatewayOpt := corehttp.GatewayOption(corehttp.WebUIPaths...) + if unrestricted { + gatewayOpt = corehttp.GatewayOption("/ipfs", "/ipns") + } + var opts = []corehttp.ServeOption{ corehttp.MetricsCollectionOption("api"), corehttp.CommandsOption(*req.InvocContext()), corehttp.WebUIOption, - corehttp.GatewayOption(corehttp.WebUIPaths...), + gatewayOpt, corehttp.VersionOption(), defaultMux("/debug/vars"), defaultMux("/debug/pprof/"), diff --git a/test/sharness/t0110-gateway.sh b/test/sharness/t0110-gateway.sh index fd218a344a0..7556ef4d45a 100755 --- a/test/sharness/t0110-gateway.sh +++ b/test/sharness/t0110-gateway.sh @@ -32,10 +32,6 @@ test_expect_success "GET IPFS path output looks good" ' rm actual ' -test_expect_success "GET IPFS path on API unavailable" ' - test_curl_resp_http_code "http://127.0.0.1:$apiport/ipfs/$HASH" "HTTP/1.1 404 Not Found" -' - test_expect_success "GET IPFS directory path succeeds" ' mkdir dir && echo "12345" >dir/test && diff --git a/test/sharness/t0400-api-security.sh b/test/sharness/t0400-api-security.sh new file mode 100755 index 00000000000..ccf92527413 --- /dev/null +++ b/test/sharness/t0400-api-security.sh @@ -0,0 +1,32 @@ +#!/bin/sh +# +# Copyright (c) 2016 Lars Gierth +# MIT Licensed; see the LICENSE file in this repository. +# + +test_description="Test API security" + +. lib/test-lib.sh + +test_init_ipfs + +# by default, we don't let you load arbitrary ipfs objects through the api, +# because this would open up the api to scripting vulnerabilities. +# only the webui objects are allowed. +# if you know what you're doing, go ahead and pass --unrestricted-api. + +test_launch_ipfs_daemon +test_expect_success "Gateway on API unavailable" ' + HASH=$(echo "testing" | ipfs add -q) + test_curl_resp_http_code "http://127.0.0.1:$API_PORT/ipfs/$HASH" "HTTP/1.1 404 Not Found" +' +test_kill_ipfs_daemon + +test_launch_ipfs_daemon --unrestricted-api +test_expect_success "Gateway on --unrestricted-api API available" ' + HASH=$(echo "testing" | ipfs add -q) + test_curl_resp_http_code "http://127.0.0.1:$API_PORT/ipfs/$HASH" "HTTP/1.1 200 OK" +' +test_kill_ipfs_daemon + +test_done