mirror of
https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake.git
synced 2025-10-13 11:11:30 -04:00
hardening(proxy): only accept ws & wss relays
This commit is contained in:
WofWca
Shelikhoo
parent
14f4c82ff7
commit
0f2bdffba0
2 changed files with 10 additions and 6 deletions
|
|
@ -537,9 +537,9 @@ func TestUtilityFuncs(t *testing.T) {
|
|||
{pattern: "$", allowNonTLS: false, targetURL: "wss://1.1.1.1/test?test=test#test", expects: nil},
|
||||
|
||||
// Weird / invalid / ambiguous URL
|
||||
// {pattern: "$", allowNonTLS: true, targetURL: "snowflake.torproject.net", expects: fmt.Errorf("")},
|
||||
// {pattern: "$", allowNonTLS: true, targetURL: "//snowflake.torproject.net", expects: fmt.Errorf("")},
|
||||
// {pattern: "$", allowNonTLS: true, targetURL: "/path", expects: fmt.Errorf("")},
|
||||
{pattern: "$", allowNonTLS: true, targetURL: "snowflake.torproject.net", expects: fmt.Errorf("")},
|
||||
{pattern: "$", allowNonTLS: true, targetURL: "//snowflake.torproject.net", expects: fmt.Errorf("")},
|
||||
{pattern: "$", allowNonTLS: true, targetURL: "/path", expects: fmt.Errorf("")},
|
||||
{pattern: "$", allowNonTLS: true, targetURL: "wss://snowflake.torproject .net", expects: fmt.Errorf("")},
|
||||
{pattern: "$", allowNonTLS: true, targetURL: "wss://😀", expects: nil},
|
||||
{pattern: "$", allowNonTLS: true, targetURL: "wss://пример.рф", expects: nil},
|
||||
|
|
@ -547,9 +547,8 @@ func TestUtilityFuncs(t *testing.T) {
|
|||
// Non-websocket protocols
|
||||
{pattern: "snowflake.torproject.net$", allowNonTLS: false, targetURL: "https://snowflake.torproject.net", expects: fmt.Errorf("")},
|
||||
{pattern: "snowflake.torproject.net$", allowNonTLS: false, targetURL: "ftp://snowflake.torproject.net", expects: fmt.Errorf("")},
|
||||
// These are failing for now
|
||||
// {pattern: "snowflake.torproject.net$", allowNonTLS: true, targetURL: "https://snowflake.torproject.net", expects: fmt.Errorf("")},
|
||||
// {pattern: "snowflake.torproject.net$", allowNonTLS: true, targetURL: "ftp://snowflake.torproject.net", expects: fmt.Errorf("")},
|
||||
{pattern: "snowflake.torproject.net$", allowNonTLS: true, targetURL: "https://snowflake.torproject.net", expects: fmt.Errorf("")},
|
||||
{pattern: "snowflake.torproject.net$", allowNonTLS: true, targetURL: "ftp://snowflake.torproject.net", expects: fmt.Errorf("")},
|
||||
}
|
||||
for _, v := range testingVector {
|
||||
err := checkIsRelayURLAcceptable(v.pattern, v.allowNonTLS, v.targetURL)
|
||||
|
|
|
|||
|
|
@ -651,6 +651,11 @@ func checkIsRelayURLAcceptable(
|
|||
if err != nil {
|
||||
return fmt.Errorf("bad Relay URL %w", err)
|
||||
}
|
||||
// FYI our websocket library also rejects other protocols
|
||||
// https://github.com/gorilla/websocket/blob/5e002381133d322c5f1305d171f3bdd07decf229/client.go#L174-L181
|
||||
if parsedRelayURL.Scheme != "wss" && parsedRelayURL.Scheme != "ws" {
|
||||
return fmt.Errorf("rejected Relay URL protocol")
|
||||
}
|
||||
matcher := namematcher.NewNameMatcher(allowedHostNamePattern)
|
||||
if !matcher.IsMember(parsedRelayURL.Hostname()) || (!allowNonTLSRelay && parsedRelayURL.Scheme != "wss") {
|
||||
return fmt.Errorf("rejected Relay URL")
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue