Tighten the CSRF security, since Electron interceptor allows RCE

Previously the API was difficult to CSRF, with attacks that only
worked in certain old browsers etc. With this change, it should
be impossible to send a request to the GraphQL API that isn't
from an allowed server. There is still a remaining risky avenue
due to Mockttp's API (if you're clever, you could spoof a trusted
origin directly), but that'll be closed the same way shortly.

Author: pimterry

custom-typings/cors-gate.d.ts

@@ -0,0 +1,13 @@
+declare module 'cors-gate' {
+    import * as express from 'express';
+
+    interface Options {
+        origin: string;
+        strict?: boolean;
+        allowSafe?: boolean;
+    }
+
+    function corsGate(options: Options): express.RequestHandler;
+
+    export = corsGate;
+}

package-lock.json

@@ -38,6 +38,7 @@
     "async-mutex": "^0.1.3",
     "chrome-remote-interface": "^0.28.0",
     "command-exists": "^1.2.8",
+    "cors-gate": "^1.1.3",
     "env-paths": "^1.0.0",
     "global-agent": "^2.0.0",
     "global-tunnel-ng": "^2.7.1",

package.json

@@ -1,6 +1,7 @@
 import * as _ from 'lodash';
 import * as os from 'os';
 import * as events from 'events';
+import corsGate = require('cors-gate');
 import { GraphQLServer } from 'graphql-yoga';
 import * as Express from 'express';
 import { GraphQLScalarType } from 'graphql';
@@ -171,21 +172,11 @@ export class HttpToolkitServer extends events.EventEmitter {
             resolvers: buildResolvers(config, interceptors, this)
         });
 
-        // TODO: This logic also exists in Mockttp - probably good to commonize it somewhere.
-        this.graphql.use((req: Express.Request, res: Express.Response, next: () => void) => {
-            const origin = req.headers['origin'];
-            // This will have been set (or intentionally not set), by the CORS middleware
-            const allowedOrigin = res.getHeader('Access-Control-Allow-Origin');
-
-            // If origin is set (null or an origin) but was not accepted by the CORS options
-            // Note that if no options.cors is provided, allowedOrigin is always *.
-            if (origin !== undefined && allowedOrigin !== '*' && allowedOrigin !== origin) {
-                // Don't process the request: error out & skip the lot (to avoid CSRF)
-                res.status(403).send('CORS request sent by unacceptable origin');
-            } else {
-                next();
-            }
-        });
+        this.graphql.use(corsGate({
+            strict: true, // MUST send an allowed origin
+            allowSafe: false, // Even for HEAD/GET requests (should be none anyway)
+            origin: '' // No origin - we accept *no* same-origin requests
+        }));
     }
 
     async start() {

src/httptoolkit-server.ts

@@ -9,8 +9,7 @@ export const ALLOWED_ORIGINS = IS_PROD_BUILD
         // Prod builds only allow HTTPS app.httptoolkit.tech usage. This
         // ensures that no other sites/apps can communicate with your server
         // whilst you have the app open. If they could (requires an HTTP mitm),
-        // they would be able to start proxies & interceptors. It's not remote
-        // execution, but it's definitely not desirable.
+        // they would be able to start proxies & interceptors.
         /^https:\/\/app\.httptoolkit\.tech$/
     ]
     : [

src/util.ts

@@ -39,6 +39,12 @@ async function setupServerPath() {
     return path.join(tmpDir, 'httptoolkit-server', 'bin', 'run');
 }
 
+const buildGraphql = (url: string) => getGraphQL(url, {
+    asJSON: true,
+    // Pretend to be a browser on the real site:
+    headers: { 'origin': 'https://app.httptoolkit.tech' }
+});
+
 describe('Integration test', function () {
     // Timeout needs to be long, as first test runs (e.g. in CI) generate
     // fresh certificates, which can take a little while.
@@ -98,7 +104,7 @@ describe('Integration test', function () {
     });
 
     it('exposes the version over HTTP', async () => {
-        const graphql = getGraphQL('http://localhost:45457/', { asJSON: true });
+        const graphql = buildGraphql('http://localhost:45457/');
 
         const response = await graphql(`
             query getVersion {
@@ -110,7 +116,7 @@ describe('Integration test', function () {
     });
 
     it('exposes interceptors over HTTP', async () => {
-        const graphql = getGraphQL('http://localhost:45457/', { asJSON: true });
+        const graphql = buildGraphql('http://localhost:45457/');
 
         const response = await graphql(`
             query getInterceptors($proxyPort: Int!) {