archives/snowflake
2
0
Fork 0
mirror of https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake.git synced 2025-10-13 20:11:19 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

hardening(proxy): only accept ws & wss relays

Browse source
This commit is contained in:
WofWca 2024-08-30 16:36:32 +04:00 committed by Shelikhoo
parent 14f4c82ff7
commit 0f2bdffba0
No known key found for this signature in database
GPG key ID: 4C9764E9FE80A3DC
2 changed files with 10 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

11
proxy/lib/proxy-go_test.go
View file

@ -537,9 +537,9 @@ func TestUtilityFuncs(t *testing.T) {
{pattern: "$", allowNonTLS: false, targetURL: "wss://1.1.1.1/test?test=test#test", expects: nil}, {pattern: "$", allowNonTLS: false, targetURL: "wss://1.1.1.1/test?test=test#test", expects: nil},
// Weird / invalid / ambiguous URL // Weird / invalid / ambiguous URL
// {pattern: "$", allowNonTLS: true, targetURL: "snowflake.torproject.net", expects: fmt.Errorf("")}, {pattern: "$", allowNonTLS: true, targetURL: "snowflake.torproject.net", expects: fmt.Errorf("")},
// {pattern: "$", allowNonTLS: true, targetURL: "//snowflake.torproject.net", expects: fmt.Errorf("")}, {pattern: "$", allowNonTLS: true, targetURL: "//snowflake.torproject.net", expects: fmt.Errorf("")},
// {pattern: "$", allowNonTLS: true, targetURL: "/path", expects: fmt.Errorf("")}, {pattern: "$", allowNonTLS: true, targetURL: "/path", expects: fmt.Errorf("")},
{pattern: "$", allowNonTLS: true, targetURL: "wss://snowflake.torproject .net", expects: fmt.Errorf("")}, {pattern: "$", allowNonTLS: true, targetURL: "wss://snowflake.torproject .net", expects: fmt.Errorf("")},
{pattern: "$", allowNonTLS: true, targetURL: "wss://😀", expects: nil}, {pattern: "$", allowNonTLS: true, targetURL: "wss://😀", expects: nil},
{pattern: "$", allowNonTLS: true, targetURL: "wss://пример.рф", expects: nil}, {pattern: "$", allowNonTLS: true, targetURL: "wss://пример.рф", expects: nil},
@ -547,9 +547,8 @@ func TestUtilityFuncs(t *testing.T) {
// Non-websocket protocols // Non-websocket protocols
{pattern: "snowflake.torproject.net$", allowNonTLS: false, targetURL: "https://snowflake.torproject.net", expects: fmt.Errorf("")}, {pattern: "snowflake.torproject.net$", allowNonTLS: false, targetURL: "https://snowflake.torproject.net", expects: fmt.Errorf("")},
{pattern: "snowflake.torproject.net$", allowNonTLS: false, targetURL: "ftp://snowflake.torproject.net", expects: fmt.Errorf("")}, {pattern: "snowflake.torproject.net$", allowNonTLS: false, targetURL: "ftp://snowflake.torproject.net", expects: fmt.Errorf("")},
// These are failing for now {pattern: "snowflake.torproject.net$", allowNonTLS: true, targetURL: "https://snowflake.torproject.net", expects: fmt.Errorf("")},
// {pattern: "snowflake.torproject.net$", allowNonTLS: true, targetURL: "https://snowflake.torproject.net", expects: fmt.Errorf("")}, {pattern: "snowflake.torproject.net$", allowNonTLS: true, targetURL: "ftp://snowflake.torproject.net", expects: fmt.Errorf("")},
// {pattern: "snowflake.torproject.net$", allowNonTLS: true, targetURL: "ftp://snowflake.torproject.net", expects: fmt.Errorf("")},
} }
for _, v := range testingVector { for _, v := range testingVector {
err := checkIsRelayURLAcceptable(v.pattern, v.allowNonTLS, v.targetURL) err := checkIsRelayURLAcceptable(v.pattern, v.allowNonTLS, v.targetURL)

5
proxy/lib/snowflake.go
View file

@ -651,6 +651,11 @@ func checkIsRelayURLAcceptable(
if err != nil { if err != nil {
return fmt.Errorf("bad Relay URL %w", err) return fmt.Errorf("bad Relay URL %w", err)
} }
// FYI our websocket library also rejects other protocols
// https://github.com/gorilla/websocket/blob/5e002381133d322c5f1305d171f3bdd07decf229/client.go#L174-L181
if parsedRelayURL.Scheme != "wss" && parsedRelayURL.Scheme != "ws" {
return fmt.Errorf("rejected Relay URL protocol")
}
matcher := namematcher.NewNameMatcher(allowedHostNamePattern) matcher := namematcher.NewNameMatcher(allowedHostNamePattern)
if !matcher.IsMember(parsedRelayURL.Hostname()) || (!allowNonTLSRelay && parsedRelayURL.Scheme != "wss") { if !matcher.IsMember(parsedRelayURL.Hostname()) || (!allowNonTLSRelay && parsedRelayURL.Scheme != "wss") {
return fmt.Errorf("rejected Relay URL") return fmt.Errorf("rejected Relay URL")