Skip to content
This repository was archived by the owner on Feb 12, 2024. It is now read-only.

Commit feba661

Browse files
lidellidel
authored
fix: limit SW registration to content root (#2682)
Introduces hardening proposed in: ipfs/kubo#4025 (comment) License: MIT Signed-off-by: Marcin Rataj <[email protected]>
1 parent 16d540c commit feba661

File tree

3 files changed

+19
-2
lines changed

3 files changed

+19
-2
lines changed

.travis.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -45,7 +45,7 @@ jobs:
4545
script:
4646
- npx aegir build --bundlesize
4747
- npx aegir dep-check -- -i wrtc -i electron-webrtc
48-
- npm run lint
48+
- npx aegir lint
4949

5050
- stage: test
5151
name: chrome

src/http/gateway/resources/gateway.js

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -76,6 +76,11 @@ module.exports = {
7676
// add trailing slash for directories with implicit index.html
7777
return h.redirect(`${path}/`).permanent(true)
7878
}
79+
if (request.headers['service-worker'] === 'script') {
80+
// Disallow Service Worker registration on /ipfs scope
81+
// https://github.com/ipfs/go-ipfs/issues/4025
82+
if (path.match(/^\/ip[nf]s\/[^/]+$/)) throw Boom.badRequest('navigator.serviceWorker: registration is not allowed for this scope')
83+
}
7984

8085
// Support If-None-Match & Etag (Conditional Requests from RFC7232)
8186
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/ETag

test/gateway/index.js

Lines changed: 13 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -105,7 +105,7 @@ describe('HTTP Gateway', function () {
105105
expect(res.headers.suborigin).to.equal(undefined)
106106
})
107107

108-
it('400 for request with invalid argument', async () => {
108+
it('returns 400 for request with invalid argument', async () => {
109109
const res = await gateway.inject({
110110
method: 'GET',
111111
url: '/ipfs/invalid'
@@ -118,6 +118,18 @@ describe('HTTP Gateway', function () {
118118
expect(res.headers.suborigin).to.equal(undefined)
119119
})
120120

121+
it('returns 400 for service worker registration outside of an IPFS content root', async () => {
122+
const res = await gateway.inject({
123+
method: 'GET',
124+
url: '/ipfs/QmT78zSuBmuS4z925WZfrqQ1qHaJ56DQaTfyMUF7F8ff5o?filename=sw.js',
125+
headers: { 'Service-Worker': 'script' }
126+
})
127+
128+
// Expect 400 Bad Request
129+
// https://github.com/ipfs/go-ipfs/issues/4025#issuecomment-342250616
130+
expect(res.statusCode).to.equal(400)
131+
})
132+
121133
it('valid CIDv0', async () => {
122134
const res = await gateway.inject({
123135
method: 'GET',

0 commit comments

Comments
 (0)