Upstream/bitwarden-browser
1
0
Fork 0
mirror of https://github.com/bitwarden/browser.git synced 2025-01-17 20:31:50 +01:00
Code Issues Projects Releases Wiki Activity

[PS-1152] CLI serve forbid browser requests (#3220)

Browse Source 
* Inconsiquential change to allow a draft PR

* Serve blocks requests from browsers by default

Option is provided to override this behavior for backwards
compatibility.

* Revert "Inconsiquential change to allow a draft PR"

This reverts commit 0f51344c35.
This commit is contained in:
Matt Gibson 2022-08-05 09:27:11 -06:00 committed by GitHub
parent 7526b46bfd
commit e7220644d1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 22 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
apps/cli/src/commands/serve.command.ts
View File

@ -149,14 +149,31 @@ export class ServeCommand {
}
async run(options: program.OptionValues) {
const protectOrigin = !options.disableOriginProtection;
const port = options.port || 8087;
const hostname = options.hostname || "localhost";
this.main.logService.info(
`Starting server on ${hostname}:${port} with ${
protectOrigin ? "origin protection" : "no origin protection"
}`
);
const server = new koa();
const router = new koaRouter();
process.env.BW_SERVE = "true";
process.env.BW_NOINTERACTION = "true";
server.use(koaBodyParser()).use(koaJson({ pretty: false, param: "pretty" }));
server
.use(async (ctx, next) => {
if (protectOrigin && ctx.headers.origin != undefined) {
ctx.status = 403;
this.main.logService.warning(`Blocking request from ${ctx.headers.origin}`);
return;
}
await next();
})
.use(koaBodyParser())
.use(koaJson({ pretty: false, param: "pretty" }));
router.get("/generate", async (ctx, next) => {
const response = await this.generateCommand.run(ctx.request.query);

4
apps/cli/src/program.ts
View File

@ -476,6 +476,10 @@ export class Program extends BaseProgram {
.description("Start a RESTful API webserver.")
.option("--hostname <hostname>", "The hostname to bind your API webserver to.")
.option("--port <port>", "The port to run your API webserver on.")
.option(
"--disable-origin-protection",
"If set, allows requests with origin header. Not recommended!"
)
.on("--help", () => {
writeLn("\n Notes:");
writeLn("");