fix: limit SW registration to content root (#2682)

lidel · web-flow · commit feba661e98a1 · 2020-02-03T17:08:52.000Z
Introduces hardening proposed in: ipfs/kubo#4025 (comment) License: MIT Signed-off-by: Marcin Rataj <lidel@lidel.org>
diff --git a/.travis.yml b/.travis.yml
@@ -45,7 +45,7 @@ jobs:
       script:
         - npx aegir build --bundlesize
         - npx aegir dep-check -- -i wrtc -i electron-webrtc
-        - npm run lint
+        - npx aegir lint
 
     - stage: test
       name: chrome
diff --git a/src/http/gateway/resources/gateway.js b/src/http/gateway/resources/gateway.js
@@ -76,6 +76,11 @@ module.exports = {
       // add trailing slash for directories with implicit index.html
       return h.redirect(`${path}/`).permanent(true)
     }
+    if (request.headers['service-worker'] === 'script') {
+      // Disallow Service Worker registration on /ipfs scope
+      // https://github.com/ipfs/go-ipfs/issues/4025
+      if (path.match(/^\/ip[nf]s\/[^/]+$/)) throw Boom.badRequest('navigator.serviceWorker: registration is not allowed for this scope')
+    }
 
     // Support If-None-Match & Etag (Conditional Requests from RFC7232)
     // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/ETag
diff --git a/test/gateway/index.js b/test/gateway/index.js
@@ -105,7 +105,7 @@ describe('HTTP Gateway', function () {
     expect(res.headers.suborigin).to.equal(undefined)
   })
 
-  it('400 for request with invalid argument', async () => {
+  it('returns 400 for request with invalid argument', async () => {
     const res = await gateway.inject({
       method: 'GET',
       url: '/ipfs/invalid'
@@ -118,6 +118,18 @@ describe('HTTP Gateway', function () {
     expect(res.headers.suborigin).to.equal(undefined)
   })
 
+  it('returns 400 for service worker registration outside of an IPFS content root', async () => {
+    const res = await gateway.inject({
+      method: 'GET',
+      url: '/ipfs/QmT78zSuBmuS4z925WZfrqQ1qHaJ56DQaTfyMUF7F8ff5o?filename=sw.js',
+      headers: { 'Service-Worker': 'script' }
+    })
+
+    // Expect 400 Bad Request
+    // https://github.com/ipfs/go-ipfs/issues/4025#issuecomment-342250616
+    expect(res.statusCode).to.equal(400)
+  })
+
   it('valid CIDv0', async () => {
     const res = await gateway.inject({
       method: 'GET',
