From c48b612f2ea52253cc75f93b8a610d27828b64b0 Mon Sep 17 00:00:00 2001 From: David Justice Date: Fri, 21 Jan 2022 17:28:43 -0500 Subject: [PATCH 1/2] fix: add companion ids to allow origins - fixes #8689 - Adds the chrome-extension ids for ipfs-companion and ipfs-companion-beta to the allowed origins list, this allows us to accesss ipfs api from a manifest v3 extension. - added tests in t0401-api-browser-security.sh --- core/corehttp/commands.go | 2 ++ test/sharness/t0401-api-browser-security.sh | 15 +++++++++++++++ 2 files changed, 17 insertions(+) diff --git a/core/corehttp/commands.go b/core/corehttp/commands.go index 8de1e6be44a..cd20cf7b54d 100644 --- a/core/corehttp/commands.go +++ b/core/corehttp/commands.go @@ -44,6 +44,8 @@ var defaultLocalhostOrigins = []string{ "https://[::1]:", "http://localhost:", "https://localhost:", + "chrome-extension://nibjojkomfdiaoajekhjakgkdhaomnch", // ipfs-companion + "chrome-extension://hjoieblefckbooibpepigmacodalfndh", // ipfs-companion-beta } func addCORSFromEnv(c *cmdsHttp.ServerConfig) { diff --git a/test/sharness/t0401-api-browser-security.sh b/test/sharness/t0401-api-browser-security.sh index 1e36bcead32..d7bd3a67d3f 100755 --- a/test/sharness/t0401-api-browser-security.sh +++ b/test/sharness/t0401-api-browser-security.sh @@ -39,6 +39,21 @@ test_expect_success "browser is able to access API if Origin is the API port on grep "HTTP/1.1 200 OK" curl_output && grep "$PEERID" curl_output ' +test_expect_success "Companion extension is unable to access API with invalid Origin" ' + curl -sD - -X POST -A "Mozilla" -H "Origin: chrome-extension://invalidextensionid" "http://127.0.0.1:$API_PORT/api/v0/id" >curl_output && + grep "HTTP/1.1 403 Forbidden" curl_output +' + +test_expect_success "Companion extension is able to access API if Origin is the API port on localhost (ipv4)" ' + curl -sD - -X POST -A "Mozilla" -H "Origin: chrome-extension://nibjojkomfdiaoajekhjakgkdhaomnch" "http://127.0.0.1:$API_PORT/api/v0/id" >curl_output && + grep "HTTP/1.1 200 OK" curl_output && grep "$PEERID" curl_output +' + +test_expect_success "Companion beta extension is able to access API if Origin is the API port on localhost (ipv4)" ' + curl -sD - -X POST -A "Mozilla" -H "Origin: chrome-extension://hjoieblefckbooibpepigmacodalfndh" "http://127.0.0.1:$API_PORT/api/v0/id" >curl_output && + grep "HTTP/1.1 200 OK" curl_output && grep "$PEERID" curl_output +' + test_kill_ipfs_daemon test_expect_success "setting CORS in API.HTTPHeaders works via CLI" " From 994ef0801578429020f8fde440de33ff56106fa1 Mon Sep 17 00:00:00 2001 From: Marcin Rataj Date: Wed, 16 Mar 2022 23:27:41 +0100 Subject: [PATCH 2/2] fix: companion when custom CORS *-Origin is set Companion extension should be able to access RPC API even when custom Access-Control-Allow-Origin is set --- core/corehttp/commands.go | 10 ++++++---- test/sharness/t0401-api-browser-security.sh | 15 ++++++++++++--- 2 files changed, 18 insertions(+), 7 deletions(-) diff --git a/core/corehttp/commands.go b/core/corehttp/commands.go index cd20cf7b54d..14b503ff528 100644 --- a/core/corehttp/commands.go +++ b/core/corehttp/commands.go @@ -44,6 +44,9 @@ var defaultLocalhostOrigins = []string{ "https://[::1]:", "http://localhost:", "https://localhost:", +} + +var companionBrowserExtensionOrigins = []string{ "chrome-extension://nibjojkomfdiaoajekhjakgkdhaomnch", // ipfs-companion "chrome-extension://hjoieblefckbooibpepigmacodalfndh", // ipfs-companion-beta } @@ -86,10 +89,9 @@ func addHeadersFromConfig(c *cmdsHttp.ServerConfig, nc *config.Config) { } func addCORSDefaults(c *cmdsHttp.ServerConfig) { - // by default use localhost origins - if len(c.AllowedOrigins()) == 0 { - c.SetAllowedOrigins(defaultLocalhostOrigins...) - } + // always safelist certain origins + c.AppendAllowedOrigins(defaultLocalhostOrigins...) + c.AppendAllowedOrigins(companionBrowserExtensionOrigins...) // by default, use GET, PUT, POST if len(c.AllowedMethods()) == 0 { diff --git a/test/sharness/t0401-api-browser-security.sh b/test/sharness/t0401-api-browser-security.sh index d7bd3a67d3f..f288259d5f6 100755 --- a/test/sharness/t0401-api-browser-security.sh +++ b/test/sharness/t0401-api-browser-security.sh @@ -39,17 +39,18 @@ test_expect_success "browser is able to access API if Origin is the API port on grep "HTTP/1.1 200 OK" curl_output && grep "$PEERID" curl_output ' -test_expect_success "Companion extension is unable to access API with invalid Origin" ' +test_expect_success "Random browser extension is unable to access RPC API due to invalid Origin" ' curl -sD - -X POST -A "Mozilla" -H "Origin: chrome-extension://invalidextensionid" "http://127.0.0.1:$API_PORT/api/v0/id" >curl_output && grep "HTTP/1.1 403 Forbidden" curl_output ' -test_expect_success "Companion extension is able to access API if Origin is the API port on localhost (ipv4)" ' +test_expect_success "Companion extension is able to access RPC API on localhost" ' curl -sD - -X POST -A "Mozilla" -H "Origin: chrome-extension://nibjojkomfdiaoajekhjakgkdhaomnch" "http://127.0.0.1:$API_PORT/api/v0/id" >curl_output && + cat curl_output && grep "HTTP/1.1 200 OK" curl_output && grep "$PEERID" curl_output ' -test_expect_success "Companion beta extension is able to access API if Origin is the API port on localhost (ipv4)" ' +test_expect_success "Companion beta extension is able to access API on localhost" ' curl -sD - -X POST -A "Mozilla" -H "Origin: chrome-extension://hjoieblefckbooibpepigmacodalfndh" "http://127.0.0.1:$API_PORT/api/v0/id" >curl_output && grep "HTTP/1.1 200 OK" curl_output && grep "$PEERID" curl_output ' @@ -64,6 +65,14 @@ test_expect_success "setting CORS in API.HTTPHeaders works via CLI" " test_launch_ipfs_daemon +test_expect_success "Companion extension is able to access RPC API even when custom Access-Control-Allow-Origin is set" ' + ipfs config --json API.HTTPHeaders.Access-Control-Allow-Origin | grep -q valid.example.com && + curl -sD - -X POST -A "Mozilla" -H "Origin: chrome-extension://nibjojkomfdiaoajekhjakgkdhaomnch" "http://127.0.0.1:$API_PORT/api/v0/id" >curl_output && + cat curl_output && + grep "HTTP/1.1 200 OK" curl_output && + grep "$PEERID" curl_output +' + # https://developer.mozilla.org/en-US/docs/Glossary/Preflight_request test_expect_success "OPTIONS with preflight request to API with CORS allowlist succeeds" ' curl -svX OPTIONS -A "Mozilla" -H "Origin: https://valid.example.com" -H "Access-Control-Request-Method: POST" -H "Access-Control-Request-Headers: origin, x-requested-with" "http://127.0.0.1:$API_PORT/api/v0/id" 2>curl_output &&