From a3fb2abf66c95f138294e46d14a70887a0a11f5f Mon Sep 17 00:00:00 2001 From: Torsten Dittmann Date: Mon, 1 Mar 2021 17:02:01 +0100 Subject: [PATCH] add cors validation --- app/realtime.php | 31 ++++++++++++++++++++++++++----- 1 file changed, 26 insertions(+), 5 deletions(-) diff --git a/app/realtime.php b/app/realtime.php index 7648cd62a..0863b5aa7 100644 --- a/app/realtime.php +++ b/app/realtime.php @@ -9,6 +9,7 @@ use Appwrite\Database\Adapter\Redis as RedisAdapter; use Appwrite\Database\Database; use Appwrite\Database\Document; use Appwrite\Database\Validator\Authorization; +use Appwrite\Network\Validator\Origin; use Appwrite\Realtime\Realtime; use Swoole\Database\RedisConfig; use Swoole\Database\RedisPool; @@ -51,13 +52,13 @@ $subscriptions = []; $connections = []; $register->set('redis', function () { - $user = App::getEnv('_APP_REDIS_USER',''); - $pass = App::getEnv('_APP_REDIS_PASS',''); + $user = App::getEnv('_APP_REDIS_USER', ''); + $pass = App::getEnv('_APP_REDIS_PASS', ''); $auth = ''; - if(!empty($user)) { + if (!empty($user)) { $auth += $user; } - if(!empty($pass)) { + if (!empty($pass)) { $auth += ':' . $pass; } @@ -188,6 +189,10 @@ $server->on('open', function (Server $server, Request $request) use (&$connectio return $project; }, ['consoleDB', 'request']); + App::setResource('console', function ($consoleDB) { + return $consoleDB->getDocument('console'); + }, ['consoleDB']); + App::setResource('user', function ($project, $request, $projectDB) { /** @var Utopia\Swoole\Request $request */ /** @var Appwrite\Database\Document $project */ @@ -226,6 +231,9 @@ $server->on('open', function (Server $server, Request $request) use (&$connectio /** @var Appwrite\Database\Document $project */ $project = $app->getResource('project'); + /** @var Appwrite\Database\Document $console */ + $console = $app->getResource('console'); + /* * Abuse Check */ @@ -244,6 +252,19 @@ $server->on('open', function (Server $server, Request $request) use (&$connectio $server->close($connection); } + /* + * Validate Client Domain - Check to avoid CSRF attack + * Adding Appwrite API domains to allow XDOMAIN communication + * Skip this check for non-web platforms which are not required to send an origin header + */ + $origin = $request->getOrigin(); + $originValidator = new Origin(\array_merge($project->getAttribute('platforms', []), $console->getAttribute('platforms', []))); + + if (!$originValidator->isValid($origin)) { + $server->push($connection, $originValidator->getDescription()); + $server->close($connection); + } + /* * Project Check */ @@ -264,7 +285,7 @@ $server->on('open', function (Server $server, Request $request) use (&$connectio $server->push($connection, 'Missing channels'); $server->close($connection); } - + Realtime::subscribe($project->getId(), $connection, $roles, $subscriptions, $connections, $channels); $server->push($connection, json_encode($channels));