Many web relay improvements and fixes (#4467, #4456)

This commit is contained in:
Ylian Saint-Hilaire 2022-08-30 17:53:27 -07:00
parent ad7cd67c02
commit 0bf459bb51
4 changed files with 18 additions and 7 deletions

View File

@ -260,6 +260,15 @@ module.exports.CreateWebRelay = function (parent, db, args, domain) {
// Called when we need to close the tunnel because the response stream has closed // Called when we need to close the tunnel because the response stream has closed
function handleResponseClosure() { obj.close(); } function handleResponseClosure() { obj.close(); }
// Return copkie name and values
function parseRequestCookies(cookiesString) {
var r = {};
if (typeof cookiesString != 'string') return r;
var cookieString = cookiesString.split('; ');
for (var i in cookieString) { var j = cookieString[i].indexOf('='); if (j > 0) { r[cookieString[i].substring(0, j)] = cookieString[i].substring(j + 1); } }
return r;
}
// Process a HTTP request // Process a HTTP request
obj.processRequest = function (req, res) { obj.processRequest = function (req, res) {
if (obj.relayActive == false) { console.log("ERROR: Attempt to use an unconnected tunnel"); return false; } if (obj.relayActive == false) { console.log("ERROR: Attempt to use an unconnected tunnel"); return false; }
@ -277,6 +286,8 @@ module.exports.CreateWebRelay = function (parent, db, args, domain) {
for (var i in req.headers) { if (blockedHeaders.indexOf(i) == -1) { request += i + ': ' + req.headers[i] + '\r\n'; } } for (var i in req.headers) { if (blockedHeaders.indexOf(i) == -1) { request += i + ': ' + req.headers[i] + '\r\n'; } }
var cookieStr = ''; var cookieStr = '';
for (var i in parent.webCookies) { if (cookieStr != '') { cookieStr += '; ' } cookieStr += (i + '=' + parent.webCookies[i].value); } for (var i in parent.webCookies) { if (cookieStr != '') { cookieStr += '; ' } cookieStr += (i + '=' + parent.webCookies[i].value); }
var reqCookies = parseRequestCookies(req.headers.cookie);
for (var i in reqCookies) { if ((i != 'xid') && (i != 'xid.sig')) { if (cookieStr != '') { cookieStr += '; ' } cookieStr += (i + '=' + reqCookies[i]); } }
if (cookieStr.length > 0) { request += 'cookie: ' + cookieStr + '\r\n' } // If we have session cookies, set them in the header here if (cookieStr.length > 0) { request += 'cookie: ' + cookieStr + '\r\n' } // If we have session cookies, set them in the header here
request += '\r\n'; request += '\r\n';
@ -677,7 +688,7 @@ module.exports.CreateWebRelay = function (parent, db, args, domain) {
// If there is a header, send it // If there is a header, send it
if (header != null) { if (header != null) {
obj.res.status(parseInt(header.Directive[1])); // Set the status obj.res.status(parseInt(header.Directive[1])); // Set the status
const blockHeaders = ['Directive', 'sec-websocket-extensions', 'connection', 'transfer-encoding']; // We do not forward these headers const blockHeaders = ['Directive', 'sec-websocket-extensions', 'connection', 'transfer-encoding', 'last-modified', 'content-security-policy', 'cache-control']; // We do not forward these headers
for (var i in header) { for (var i in header) {
if (i == 'set-cookie') { if (i == 'set-cookie') {
for (var ii in header[i]) { for (var ii in header[i]) {
@ -704,8 +715,8 @@ module.exports.CreateWebRelay = function (parent, db, args, domain) {
} }
else if (blockHeaders.indexOf(i) == -1) { obj.res.set(i, header[i]); } // Set the headers if not blocked else if (blockHeaders.indexOf(i) == -1) { obj.res.set(i, header[i]); } // Set the headers if not blocked
} }
obj.res.set('Content-Security-Policy', "default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:;"); // Set an "allow all" policy, see if the can restrict this in the future obj.res.set('Content-Security-Policy', "default-src * 'unsafe-inline' 'unsafe-eval'; script-src * 'unsafe-inline' 'unsafe-eval'; connect-src * 'unsafe-inline'; img-src * data: blob: 'unsafe-inline'; frame-src *; style-src * 'unsafe-inline';"); // Set an "allow all" policy, see if the can restrict this in the future
obj.res.set('Cache-Control', 'no-cache'); // Tell the browser not to cache the responses since since the relay port can be used for many relays obj.res.set('Cache-Control', 'no-store'); // Tell the browser not to cache the responses since since the relay port can be used for many relays
} }
// If there is data, send it // If there is data, send it

View File

@ -3471,7 +3471,7 @@ function CreateMeshCentralServer(config, args) {
obj.decodeCookie = function (cookie, key, timeout) { obj.decodeCookie = function (cookie, key, timeout) {
if (cookie == null) return null; if (cookie == null) return null;
var r = obj.decodeCookieAESGCM(cookie, key, timeout); var r = obj.decodeCookieAESGCM(cookie, key, timeout);
if (r == null) { r = obj.decodeCookieAESSHA(cookie, key, timeout); } if (r === -1) { r = obj.decodeCookieAESSHA(cookie, key, timeout); } // If decodeCookieAESGCM() failed to decode, try decodeCookieAESSHA()
if ((r == null) && (obj.args.cookieencoding == null) && (cookie.length != 64) && ((cookie == cookie.toLowerCase()) || (cookie == cookie.toUpperCase()))) { if ((r == null) && (obj.args.cookieencoding == null) && (cookie.length != 64) && ((cookie == cookie.toLowerCase()) || (cookie == cookie.toUpperCase()))) {
obj.debug('cookie', 'Upper/Lowercase cookie, try "CookieEncoding":"hex" in settings section of config.json.'); obj.debug('cookie', 'Upper/Lowercase cookie, try "CookieEncoding":"hex" in settings section of config.json.');
console.log('Upper/Lowercase cookie, try "CookieEncoding":"hex" in settings section of config.json.'); console.log('Upper/Lowercase cookie, try "CookieEncoding":"hex" in settings section of config.json.');
@ -3523,7 +3523,7 @@ function CreateMeshCentralServer(config, args) {
} }
obj.debug('cookie', 'Decoded AESGCM cookie: ' + JSON.stringify(o)); obj.debug('cookie', 'Decoded AESGCM cookie: ' + JSON.stringify(o));
return o; return o;
} catch (ex) { obj.debug('cookie', 'ERR: Bad AESGCM cookie due to exception: ' + ex); return null; } } catch (ex) { obj.debug('cookie', 'ERR: Bad AESGCM cookie due to exception: ' + ex); return -1; }
}; };
// Decode a cookie back into an object using a key using AES256 / HMAC-SHA384. Return null if it's not a valid cookie. (key must be 80 bytes or more) // Decode a cookie back into an object using a key using AES256 / HMAC-SHA384. Return null if it's not a valid cookie. (key must be 80 bytes or more)

View File

@ -188,7 +188,7 @@ module.exports.CreateWebRelayServer = function (parent, db, args, certificates,
// Decode and check if this relay cookie is valid // Decode and check if this relay cookie is valid
var userid, domainid, domain, nodeid, addr, port, appid, webSessionId, expire; var userid, domainid, domain, nodeid, addr, port, appid, webSessionId, expire;
const urlCookie = obj.parent.decodeCookie(req.query.c, parent.loginCookieEncryptionKey); const urlCookie = obj.parent.decodeCookie(req.query.c, parent.loginCookieEncryptionKey, 32); // Allow cookies up to 32 minutes old. The web page will renew this cookie every 30 minutes.
if (urlCookie == null) { res.sendStatus(404); return; } if (urlCookie == null) { res.sendStatus(404); return; }
// Decode the incomign cookie // Decode the incomign cookie

View File

@ -6574,7 +6574,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
// Decode and check if this relay cookie is valid // Decode and check if this relay cookie is valid
var userid, domainid, domain, nodeid, addr, port, appid, webSessionId, expire; var userid, domainid, domain, nodeid, addr, port, appid, webSessionId, expire;
const urlCookie = obj.parent.decodeCookie(req.query.c, parent.loginCookieEncryptionKey); const urlCookie = obj.parent.decodeCookie(req.query.c, parent.loginCookieEncryptionKey, 32); // Allow cookies up to 32 minutes old. The web page will renew this cookie every 30 minutes.
if (urlCookie == null) { res.sendStatus(404); return; } if (urlCookie == null) { res.sendStatus(404); return; }
// Decode the incomign cookie // Decode the incomign cookie