status-im
/
react-native
mirror of https://github.com/status-im/react-native.git
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

Prevent cross origin requests to development server 

Summary:
This diff adds a middleware to the RN development server to prevent processing requests coming from a third-party website.

The way we choose to do it is to block any request that has an origin header and it's different than localhost. This will still allow simulators to work properly while blocking potential external websites to do malign CORS requests.

This is just a first quick measure to block a potential attack vector while we implement full authentication in the RN development server

Reviewed By: mjesun

Differential Revision: D9238674

fbshipit-source-id: b7bdc40dabc2f4d92f5ac84515f93b89efa4e833
This commit is contained in:
Rafael Oleza 2018-08-22 09:52:05 -07:00 committed by Facebook Github Bot
parent 6af3b161c0
commit 8a21abcd6b
2 changed files with 29 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
local-cli/server/middleware/MiddlewareManager.js
View File

@ -17,6 +17,7 @@ const WebSocketServer = require('ws').Server;
const indexPageMiddleware = require('./indexPage');
const copyToClipBoardMiddleware = require('./copyToClipBoardMiddleware');
const getSecurityHeadersMiddleware = require('./getSecurityHeadersMiddleware');
const loadRawBodyMiddleware = require('./loadRawBodyMiddleware');
const openStackFrameInEditorMiddleware = require('./openStackFrameInEditorMiddleware');
const statusPageMiddleware = require('./statusPageMiddleware');
@ -44,6 +45,7 @@ module.exports = class MiddlewareManager {
this.options = options;
this.app = connect()
.use(getSecurityHeadersMiddleware)
.use(loadRawBodyMiddleware)
.use(compression())
.use('/debugger-ui', serveStatic(debuggerUIFolder))

27
local-cli/server/middleware/getSecurityHeadersMiddleware.js Normal file
View File

@ -0,0 +1,27 @@
/**
* Copyright (c) 2013-present, Facebook, Inc.
*
* This source code is licensed under the MIT license found in the
* LICENSE file in the root directory of this source tree.
*
* @strict
* @format
*/
module.exports = function(req, res, next) {
const address = req.client.server.address();
// Block any cross origin request.
if (
req.headers.origin &&
req.headers.origin !== `http://localhost:${address.port}`
) {
next(new Error('Unauthorized'));
return;
}
// Block MIME-type sniffing.
res.setHeader('X-Content-Type-Options', 'nosniff');
next();
};