TerribleDev/ente
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[workers] Restrict CORS ACAH headers to the whitelist

Browse Source
This commit is contained in:
Manav Rathi
2024-07-05 18:02:36 +05:30
parent 089ed89045
commit e9938c2ac4
4 changed files with 7 additions and 67 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
infra/workers/files/src/index.ts
View File

@@ -17,16 +17,12 @@ export default {
const handleOPTIONS = (request: Request) => {
const origin = request.headers.get("Origin");
if (!isAllowedOrigin(origin)) console.warn("Unknown origin", origin);
const headers = request.headers.get("Access-Control-Request-Headers");
if (!areAllowedHeaders(headers))
console.warn("Unknown header in list", headers);
return new Response("", {
headers: {
"Access-Control-Allow-Origin": "*",
"Access-Control-Allow-Methods": "GET, OPTIONS",
"Access-Control-Allow-Headers": "X-Auth-Token, X-Client-Package",
"Access-Control-Max-Age": "86400",
// "Access-Control-Allow-Headers": "X-Auth-Token, X-Client-Package",
"Access-Control-Allow-Headers": "*",
},
});
};
@@ -48,16 +44,6 @@ const isAllowedOrigin = (origin: string | null) => {
}
};
const areAllowedHeaders = (headers: string | null) => {
const allowed = ["x-auth-token", "x-client-package"];
if (!headers) return true;
for (const header of headers.split(",")) {
if (!allowed.includes(header.trim().toLowerCase())) return false;
}
return true;
};
const handleGET = async (request: Request) => {
const url = new URL(request.url);

23
infra/workers/public-albums/src/index.ts
View File

@@ -17,17 +17,13 @@ export default {
const handleOPTIONS = (request: Request) => {
const origin = request.headers.get("Origin");
if (!isAllowedOrigin(origin)) console.warn("Unknown origin", origin);
const headers = request.headers.get("Access-Control-Request-Headers");
if (!areAllowedHeaders(headers))
console.warn("Unknown header in list", headers);
return new Response("", {
headers: {
"Access-Control-Allow-Origin": "*",
"Access-Control-Allow-Methods": "GET, OPTIONS",
"Access-Control-Allow-Headers":
"X-Auth-Access-Token, X-Auth-Access-Token-JWT, X-Client-Package",
"Access-Control-Max-Age": "86400",
// "Access-Control-Allow-Headers": "X-Auth-Access-Token, X-Auth-Access-Token-JWT",
// "Access-Control-Allow-Headers": "X-Auth-Access-Token, X-Auth-Access-Token-JWT, x-client-package",
"Access-Control-Allow-Headers": "*",
},
});
};
@@ -45,21 +41,6 @@ const isAllowedOrigin = (origin: string | null) => {
}
};
const areAllowedHeaders = (headers: string | null) => {
// TODO(MR): Stop sending "x-client-package"
const allowed = [
"x-auth-access-token",
"x-auth-access-token-jwt",
"x-client-package",
];
if (!headers) return true;
for (const header of headers.split(",")) {
if (!allowed.includes(header.trim().toLowerCase())) return false;
}
return true;
};
const handleGET = async (request: Request) => {
const url = new URL(request.url);

16
infra/workers/thumbnails/src/index.ts
View File

@@ -17,16 +17,12 @@ export default {
const handleOPTIONS = (request: Request) => {
const origin = request.headers.get("Origin");
if (!isAllowedOrigin(origin)) console.warn("Unknown origin", origin);
const headers = request.headers.get("Access-Control-Request-Headers");
if (!areAllowedHeaders(headers))
console.warn("Unknown header in list", headers);
return new Response("", {
headers: {
"Access-Control-Allow-Origin": "*",
"Access-Control-Allow-Methods": "GET, OPTIONS",
"Access-Control-Allow-Headers": "X-Auth-Token, X-Client-Package",
"Access-Control-Max-Age": "86400",
// "Access-Control-Allow-Headers": "X-Auth-Token, X-Client-Package",
"Access-Control-Allow-Headers": "*",
},
});
};
@@ -48,16 +44,6 @@ const isAllowedOrigin = (origin: string | null) => {
}
};
const areAllowedHeaders = (headers: string | null) => {
const allowed = ["x-auth-token", "x-client-package"];
if (!headers) return true;
for (const header of headers.split(",")) {
if (!allowed.includes(header.trim().toLowerCase())) return false;
}
return true;
};
const handleGET = async (request: Request) => {
const url = new URL(request.url);

19
infra/workers/uploader/src/index.ts
View File

@@ -23,17 +23,14 @@ export default {
const handleOPTIONS = (request: Request) => {
const origin = request.headers.get("Origin");
if (!isAllowedOrigin(origin)) console.warn("Unknown origin", origin);
const headers = request.headers.get("Access-Control-Request-Headers");
if (!areAllowedHeaders(headers))
console.warn("Unknown header in list", headers);
return new Response("", {
headers: {
"Access-Control-Allow-Origin": "*",
"Access-Control-Allow-Methods": "POST, PUT, OPTIONS",
"Access-Control-Max-Age": "86400",
// "Access-Control-Allow-Headers": "Content-Type", "UPLOAD-URL, X-Client-Package",
"Access-Control-Allow-Headers": "*",
"Access-Control-Allow-Headers":
"Content-Type, UPLOAD-URL, X-Client-Package",
"Access-Control-Expose-Headers": "X-Request-Id, CF-Ray",
"Access-Control-Max-Age": "86400",
},
});
};
@@ -55,16 +52,6 @@ const isAllowedOrigin = (origin: string | null) => {
}
};
const areAllowedHeaders = (headers: string | null) => {
const allowed = ["content-type", "upload-url", "x-client-package"];
if (!headers) return true;
for (const header of headers.split(",")) {
if (!allowed.includes(header.trim().toLowerCase())) return false;
}
return true;
};
const handlePOSTOrPUT = async (request: Request) => {
const url = new URL(request.url);