From 00fb2d1163bf1356bc67cceff39f5fcf36c8b911 Mon Sep 17 00:00:00 2001 From: Jakub Jankiewicz Date: Sat, 18 May 2024 23:40:03 +0200 Subject: [PATCH] Check same origin for paths --- CHANGELOG.md | 4 ++++ index.js | 34 +++++++++++++++++++++++++++++++--- 2 files changed, 35 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e875d28..790f588 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,7 @@ +## 0.16.4 +### Bug fix +* fix check if request origin match + ## 0.16.3 ### Bug fix * fix handling of binary data in FileSystem diff --git a/index.js b/index.js index b100b41..c04d74d 100644 --- a/index.js +++ b/index.js @@ -8,6 +8,10 @@ const root_url = get_root_path(); const root_url_re = new RegExp('^' + escape_re(root_url)); +function same_origin(origin) { + return origin === self.location.origin; +} + function get_root_path() { if (self.registration) { const url = new URL(registration.scope); @@ -79,6 +83,10 @@ function bind_fs(fs) { return result; } +// ----------------------------------------------------------------------------- +// :: Wayne Route Response Class +// ----------------------------------------------------------------------------- + export class HTTPResponse { constructor(resolve, reject) { this._resolve = resolve; @@ -165,8 +173,12 @@ export class HTTPResponse { } } -// code based on https://github.com/jcubic/route.js -// Copyright (C) 2014-2017 Jakub T. Jankiewicz + +// ----------------------------------------------------------------------------- +// :: Route Parser +// :: code based on https://github.com/jcubic/route.js +// :: Copyright (C) 2014-2017 Jakub T. Jankiewicz +// ----------------------------------------------------------------------------- export function RouteParser() { const name_re = '[a-zA-Z_][a-zA-Z_0-9]*'; const self = this; @@ -236,12 +248,16 @@ export function RouteParser() { for (let i=keys.length; i--;) { const key = keys[i]; let pattern; + // check if origin match for full URL if (key.match(/:\/\//)) { const url = new URL(key); if (url.origin !== origin) { continue; } pattern = key.replace(url.origin, ''); + } else if (!same_origin(origin)) { + // skip different origin + continue; } else { pattern = key; } @@ -367,6 +383,10 @@ async function list_dir({ fs, path }, path_name) { })); } +// ----------------------------------------------------------------------------- +// :: File System +// ----------------------------------------------------------------------------- + export function FileSystem(options) { let { path, @@ -397,7 +417,7 @@ export function FileSystem(options) { const url = new URL(req.url); let path_name = normalize_url(decodeURIComponent(url.pathname)); url.pathname = path_name; - if (!(url.hostname === self.location.hostname && await test(url))) { + if (!(same_origin(url.origin) && await test(url))) { return next(); } if (req.method !== 'GET') { @@ -439,6 +459,10 @@ export function FileSystem(options) { }; } +// ----------------------------------------------------------------------------- +// :: Main Wayne Constructor +// ----------------------------------------------------------------------------- + export class Wayne { constructor({ filter = () => true } = {}) { this._er_handlers = []; @@ -530,6 +554,10 @@ export class Wayne { } } +// ----------------------------------------------------------------------------- +// :: RPC +// ----------------------------------------------------------------------------- + export function rpc(channel, methods) { channel.addEventListener('message', async function handler(message) { if (Object.keys(message.data).includes('method', 'id', 'args')) {