backwards compatible allowed_origin, default browsers not allowed
This commit is contained in:
parent
08d37a4b0f
commit
ee0aabda1d
4 changed files with 47 additions and 5 deletions
|
@ -625,7 +625,9 @@ class Config(CLIConfig):
|
||||||
previous_names=['upload_log', 'upload_log', 'share_debug_info']
|
previous_names=['upload_log', 'upload_log', 'share_debug_info']
|
||||||
)
|
)
|
||||||
track_bandwidth = Toggle("Track bandwidth usage", True)
|
track_bandwidth = Toggle("Track bandwidth usage", True)
|
||||||
allowed_origin = String("Allowed origin header for api calls, use * to allow all", 'null')
|
allowed_origin = String(
|
||||||
|
"Allowed `Origin` header value for API request (sent by browser), use * to allow "
|
||||||
|
"all hosts; default is to only allow API requests with no `Origin` value.", "")
|
||||||
|
|
||||||
# media server
|
# media server
|
||||||
streaming_server = String('Host name and port to serve streaming media over range requests',
|
streaming_server = String('Host name and port to serve streaming media over range requests',
|
||||||
|
|
|
@ -47,6 +47,7 @@ from lbry.extras.daemon.componentmanager import ComponentManager
|
||||||
from lbry.extras.daemon.json_response_encoder import JSONResponseEncoder
|
from lbry.extras.daemon.json_response_encoder import JSONResponseEncoder
|
||||||
from lbry.extras.daemon import comment_client
|
from lbry.extras.daemon import comment_client
|
||||||
from lbry.extras.daemon.undecorated import undecorated
|
from lbry.extras.daemon.undecorated import undecorated
|
||||||
|
from lbry.extras.daemon.security import is_request_allowed
|
||||||
from lbry.file_analysis import VideoFileAnalyzer
|
from lbry.file_analysis import VideoFileAnalyzer
|
||||||
from lbry.schema.claim import Claim
|
from lbry.schema.claim import Claim
|
||||||
from lbry.schema.url import URL
|
from lbry.schema.url import URL
|
||||||
|
@ -566,10 +567,8 @@ class Daemon(metaclass=JSONRPCServerType):
|
||||||
log.info("finished shutting down")
|
log.info("finished shutting down")
|
||||||
|
|
||||||
async def handle_old_jsonrpc(self, request):
|
async def handle_old_jsonrpc(self, request):
|
||||||
origin = request.headers.get('Origin', 'null')
|
if is_request_allowed(request, self.conf):
|
||||||
origin = None if origin == 'null' else origin
|
log.warning("API request from origin '%s' is not allowed", request.headers.get('Origin'))
|
||||||
if origin != self.conf.allowed_origin != '*':
|
|
||||||
log.warning("API request from origin '%s' is not allowed", origin)
|
|
||||||
raise web.HTTPForbidden()
|
raise web.HTTPForbidden()
|
||||||
data = await request.json()
|
data = await request.json()
|
||||||
params = data.get('params', {})
|
params = data.get('params', {})
|
||||||
|
|
5
lbry/extras/daemon/security.py
Normal file
5
lbry/extras/daemon/security.py
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
def is_request_allowed(request, conf) -> bool:
|
||||||
|
origin = request.headers.get('Origin', 'null')
|
||||||
|
if origin == 'null' or conf.allowed_origin in ('*', origin):
|
||||||
|
return True
|
||||||
|
return False
|
36
tests/unit/lbrynet_daemon/test_allowed_origin.py
Normal file
36
tests/unit/lbrynet_daemon/test_allowed_origin.py
Normal file
|
@ -0,0 +1,36 @@
|
||||||
|
import unittest
|
||||||
|
|
||||||
|
from aiohttp.test_utils import make_mocked_request as request
|
||||||
|
|
||||||
|
from lbry.testcase import AsyncioTestCase
|
||||||
|
from lbry.conf import Config
|
||||||
|
from lbry.extras.daemon.security import is_request_allowed as allowed
|
||||||
|
|
||||||
|
|
||||||
|
class TestAllowedOrigin(unittest.TestCase):
|
||||||
|
|
||||||
|
def test_allowed_origin_default(self):
|
||||||
|
conf = Config()
|
||||||
|
# no Origin is always allowed
|
||||||
|
self.assertTrue(allowed(request('GET', '/'), conf))
|
||||||
|
# some clients send Origin: null (eg, https://github.com/electron/electron/issues/7931)
|
||||||
|
self.assertTrue(allowed(request('GET', '/', headers={'Origin': 'null'}), conf))
|
||||||
|
# deny all other Origins
|
||||||
|
self.assertFalse(allowed(request('GET', '/', headers={'Origin': 'localhost'}), conf))
|
||||||
|
self.assertFalse(allowed(request('GET', '/', headers={'Origin': 'hackers.com'}), conf))
|
||||||
|
|
||||||
|
def test_allowed_origin_star(self):
|
||||||
|
conf = Config(allowed_origin='*')
|
||||||
|
# everything is allowed
|
||||||
|
self.assertTrue(allowed(request('GET', '/'), conf))
|
||||||
|
self.assertTrue(allowed(request('GET', '/', headers={'Origin': 'null'}), conf))
|
||||||
|
self.assertTrue(allowed(request('GET', '/', headers={'Origin': 'localhost'}), conf))
|
||||||
|
self.assertTrue(allowed(request('GET', '/', headers={'Origin': 'hackers.com'}), conf))
|
||||||
|
|
||||||
|
def test_allowed_origin_specified(self):
|
||||||
|
conf = Config(allowed_origin='localhost')
|
||||||
|
# no origin and only localhost are allowed
|
||||||
|
self.assertTrue(allowed(request('GET', '/'), conf))
|
||||||
|
self.assertTrue(allowed(request('GET', '/', headers={'Origin': 'null'}), conf))
|
||||||
|
self.assertTrue(allowed(request('GET', '/', headers={'Origin': 'localhost'}), conf))
|
||||||
|
self.assertFalse(allowed(request('GET', '/', headers={'Origin': 'hackers.com'}), conf))
|
Loading…
Add table
Reference in a new issue