-
-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[gateway] ServiceWorker could take control over gateway endpoints #4025
Comments
Hah, very interesting. Thanks for the detective work here :) We will definitely keep this in mind when moving forward with service worker addons |
Thanks for converting the report into this issue and for opening w3c/ServiceWorker#1165 as a proposal! |
Putting this on the 0.4.12 milestone so we give it more attention. I know we want to start doing more with service workers and content types, so its important to keep this in mind and follow up. |
Happy to help review any idea y’all have in the general area of Service Worker :) |
Solution would be to block requests to |
I like that solution. |
Just for clarification for anyone who is new to Service Workers (me), I was initially confused as to why SWs path scope rules wouldn't solve this, but I see now that it doesn't If you register a SW from:
then the scopeUrl is
and the gateway starts to serve files like that with the correct js mime-type where appropriate, then the browser will have loaded a js file called In ServiceWorker terms, the scopeUrl ends up being Of note, path based scopes for service workers were, at least partly, introduced to allow usecases where a service hosts content from multiple users in sibling directories, see: w3c/ServiceWorker#468 Also of note there is an active issue discussing the service worker path scope trailing slash issue and sub origins here: w3c/ServiceWorker#1272 |
Just for the record, another vector for this could be future support for returning content-type stored in "Extended Attributes" of ipld/legacy-unixfs-v2#11 |
Introduces hardening proposed in: ipfs/kubo#4025 (comment) License: MIT Signed-off-by: Marcin Rataj <[email protected]>
Introduces hardening proposed in: #4025 (comment) License: MIT Signed-off-by: Marcin Rataj <[email protected]>
Introduces hardening proposed in: #4025 (comment) License: MIT Signed-off-by: Marcin Rataj <[email protected]>
Introduces hardening proposed in: ipfs#4025 (comment) License: MIT Signed-off-by: Marcin Rataj <[email protected]>
Introduces hardening proposed in: #4025 (comment) License: MIT Signed-off-by: Marcin Rataj <[email protected]>
Introduces hardening proposed in: #4025 (comment) License: MIT Signed-off-by: Marcin Rataj <[email protected]>
Introduces hardening proposed in: #4025 (comment) License: MIT Signed-off-by: Marcin Rataj <[email protected]>
Introduces hardening proposed in: #4025 (comment) License: MIT Signed-off-by: Marcin Rataj <[email protected]>
Introduces hardening proposed in: ipfs/kubo#4025 (comment) License: MIT Signed-off-by: Marcin Rataj <[email protected]>
Introduces hardening proposed in: ipfs/kubo#4025 (comment) License: MIT Signed-off-by: Marcin Rataj <[email protected]>
Introduces hardening proposed in: ipfs/kubo#4025 (comment) License: MIT Signed-off-by: Marcin Rataj <[email protected]>
Introduces hardening proposed in: ipfs#4025 (comment) License: MIT Signed-off-by: Marcin Rataj <[email protected]>
Introduces hardening proposed in: ipfs#4025 (comment) License: MIT Signed-off-by: Marcin Rataj <[email protected]>
Introduces hardening proposed in: ipfs#4025 (comment) License: MIT Signed-off-by: Marcin Rataj <[email protected]>
Introduces hardening proposed in: ipfs#4025 (comment) License: MIT Signed-off-by: Marcin Rataj <[email protected]>
Introduces hardening proposed in: ipfs#4025 (comment) License: MIT Signed-off-by: Marcin Rataj <[email protected]>
Introduces hardening proposed in: ipfs#4025 (comment) License: MIT Signed-off-by: Marcin Rataj <[email protected]>
Introduces hardening proposed in: ipfs#4025 (comment) License: MIT Signed-off-by: Marcin Rataj <[email protected]>
Introduces hardening proposed in: ipfs#4025 (comment) License: MIT Signed-off-by: Marcin Rataj <[email protected]>
Introduces hardening proposed in: ipfs#4025 (comment) License: MIT Signed-off-by: Marcin Rataj <[email protected]>
Introduces hardening proposed in: ipfs/kubo#4025 (comment) License: MIT Signed-off-by: Marcin Rataj <[email protected]> This commit was moved from ipfs/kubo@115b2ba
Introduces hardening proposed in: ipfs/kubo#4025 (comment) License: MIT Signed-off-by: Marcin Rataj <[email protected]> This commit was moved from ipfs/kubo@455e498
Version information: 0.4.10-4679f80
Type: Bug
Severity: Low. Not currently a security issue, but could become one in the future.
Description:
Take a look at QmaEtDG87K69mVR7sc48DemHpj3LqxKaQfDw6qJr2AGbmZ:
The requested ServiceWorker file is the following:
This currently does not work for only one reason: The Content-Type on the ServiceWorker file is
not
application/javascript
buttext/plain
. If it was set toapplication/javascript
, I coulddo the following:
gateway.ipfs.io
endpoint would receive the same response.Currently, the Go FileServer implementation, which the gateway uses, does not sniff JavaScript to set a
Content-Type: application/javascript
header. If they ever change that, or IPFS exposes control overContent-Type
, the gateway would become vulnerable to the attack above.I think ServiceWorker are powerful and they should be allowed on IPFS. ServiceWorker are scoped to
the path where the ServiceWorker file is located. Most of the time it would be located at paths
like
/ipfs/<HostID>/serviceworker.js
, and therefore be in control of all requests to/ipfs/<HostID>/...
which is entirely reasonable.There’s currently no way to completely disable ServiceWorker for a domain or a path, so I created an issue on the ServiceWorker spec. For the time being, my suggestion is to sett the header
Service-Worker-Allowed: /_jail
on all requests that match^/ip[fn]s/[^/]+$
on the gatway.The text was updated successfully, but these errors were encountered: