allow configure HTTPVirtualHosts and HTTPCors settings (#1236)

2025-02-16 08:50:09 +00:00 · 2018-10-12 14:58:32 +02:00 · 2018-10-12 14:58:32 +02:00 · 20f8f1f2cc
commit 20f8f1f2cc
parent 4d5f808085
4 changed files with 60 additions and 3 deletions
--- a/node/node.go
+++ b/node/node.go
@ -127,9 +127,7 @@ func newGethNodeConfig(config *params.NodeConfig) (*node.Config, error) {
 			MaxPeers:        config.MaxPeers,
 			MaxPendingPeers: config.MaxPendingPeers,
 		},
-		HTTPCors:         nil,
-		HTTPModules:      config.FormatAPIModules(),
-		HTTPVirtualHosts: []string{"localhost"},
+		HTTPModules: config.FormatAPIModules(),
 	}

 	if config.IPCEnabled {
@ -144,6 +142,8 @@ func newGethNodeConfig(config *params.NodeConfig) (*node.Config, error) {
 	if config.HTTPEnabled {
 		nc.HTTPHost = config.HTTPHost
 		nc.HTTPPort = config.HTTPPort
+		nc.HTTPVirtualHosts = config.HTTPVirtualHosts
+		nc.HTTPCors = config.HTTPCors
 	}

 	if config.ClusterConfig.Enabled {
--- a/node/node_test.go
+++ b/node/node_test.go
@ -5,6 +5,7 @@ import (
 	"testing"

 	"github.com/ethereum/go-ethereum/p2p/discover"
+	"github.com/status-im/status-go/params"
 	. "github.com/status-im/status-go/t/utils"
 	"github.com/stretchr/testify/require"
 	"github.com/syndtr/goleveldb/leveldb"
@ -68,3 +69,16 @@ func TestParseNodesToNodeID(t *testing.T) {
 	require.Len(t, nodeIDs, 1)
 	require.Equal(t, discover.NodeID{1}, nodeIDs[0])
 }
+
+func TestNewGethNodeConfig(t *testing.T) {
+	config, err := params.NewNodeConfig("", params.RopstenNetworkID)
+	require.NoError(t, err)
+	config.HTTPEnabled = true
+	config.HTTPVirtualHosts = []string{"my.domain.com"}
+	config.HTTPCors = []string{"http://my.domain.com"}
+
+	nc, err := newGethNodeConfig(config)
+	require.NoError(t, err)
+	require.Equal(t, []string{"my.domain.com"}, nc.HTTPVirtualHosts)
+	require.Equal(t, []string{"http://my.domain.com"}, nc.HTTPCors)
+}
--- a/params/config.go
+++ b/params/config.go
@ -212,6 +212,20 @@ type NodeConfig struct {
 	// HTTPPort is the TCP port number on which to start the Geth's HTTP RPC server.
 	HTTPPort int

+	// HTTPVirtualHosts is the list of virtual hostnames which are allowed on incoming requests.
+	// This is by default {'localhost'}. Using this prevents attacks like
+	// DNS rebinding, which bypasses SOP by simply masquerading as being within the same
+	// origin. These attacks do not utilize CORS, since they are not cross-domain.
+	// By explicitly checking the Host-header, the server will not allow requests
+	// made against the server with a malicious host domain.
+	// Requests using an IP address directly are not affected.
+	HTTPVirtualHosts []string
+
+	// HTTPCors is the Cross-Origin Resource Sharing header to send to requesting
+	// clients. Please be aware that CORS is a browser enforced security, it's fully
+	// useless for custom HTTP clients.
+	HTTPCors []string
+
 	// IPCEnabled specifies whether IPC-RPC Server is enabled or not
 	IPCEnabled bool

@ -399,6 +413,7 @@ func NewNodeConfig(dataDir string, networkID uint64) (*NodeConfig, error) {
 		Version:               Version,
 		HTTPHost:              "localhost",
 		HTTPPort:              8545,
+		HTTPVirtualHosts:      []string{"localhost"},
 		ListenAddr:            ":0",
 		APIModules:            "eth,net,web3,peer",
 		MaxPeers:              25,
--- a/params/config_test.go
+++ b/params/config_test.go
@ -353,6 +353,34 @@ func TestNodeConfigValidate(t *testing.T) {
 			}`,
 			Error: "PFSEnabled is true, but InstallationID is empty",
 		},
+		{
+			Name: "Default HTTP virtual hosts is localhost and CORS is empty",
+			Config: `{
+				"NetworkId": 1,
+				"DataDir": "/some/dir",
+				"KeyStoreDir": "/some/dir",
+				"BackupDisabledDataDir": "/some/dir"
+			}`,
+			CheckFunc: func(t *testing.T, config *params.NodeConfig) {
+				require.Equal(t, []string{"localhost"}, config.HTTPVirtualHosts)
+				require.Nil(t, config.HTTPCors)
+			},
+		},
+		{
+			Name: "Set HTTP virtual hosts and CORS",
+			Config: `{
+				"NetworkId": 1,
+				"DataDir": "/some/dir",
+				"KeyStoreDir": "/some/dir",
+				"BackupDisabledDataDir": "/some/dir",
+				"HTTPVirtualHosts": ["my.domain.com"],
+				"HTTPCors": ["http://my.domain.com:8080"]
+			}`,
+			CheckFunc: func(t *testing.T, config *params.NodeConfig) {
+				require.Equal(t, []string{"my.domain.com"}, config.HTTPVirtualHosts)
+				require.Equal(t, []string{"http://my.domain.com:8080"}, config.HTTPCors)
+			},
+		},
 	}

 	for _, tc := range testCases {