HTTP API: Disallow GET requests on API

This commit upgrades go-ipfs-cmds and configures the commands HTTP API Handler to only allow POST/OPTIONS, disallowing GET and others in the handling of command requests in the IPFS HTTP API (where before every type of request method was handled, with GET/POST/PUT/PATCH being equivalent). The Read-Only commands that the HTTP API attaches to the gateway endpoint will additional handled GET as they did before (but stop handling PUT,DELETEs). By limiting the request types we address the possibility that a website accessed by a browser abuses the IPFS API by issuing GET requests to it which have no Origin or Referrer set, and are thus bypass CORS and CSRF protections. This is a breaking change for clients that relay on GET requests against the HTTP endpoint (usually :5001). Applications integrating on top of the gateway-read-only API should still work (including cross-domain access). Co-Authored-By: Steven Allen <steven@stebalien.com> Co-Authored-By: Marcin Rataj <lidel@lidel.org>
2025-08-06 11:31:54 +08:00 · 2020-04-04 01:55:36 +02:00
parent 11747ff79d
commit 1b490476e5
13 changed files with 38 additions and 33 deletions
--- a/core/corehttp/commands.go
+++ b/core/corehttp/commands.go
@ -117,11 +117,17 @@ func patchCORSVars(c *cmdsHttp.ServerConfig, addr net.Addr) {
 	c.SetAllowedOrigins(newOrigins...)
 }

-func commandsOption(cctx oldcmds.Context, command *cmds.Command) ServeOption {
+func commandsOption(cctx oldcmds.Context, command *cmds.Command, allowGet bool) ServeOption {
 	return func(n *core.IpfsNode, l net.Listener, mux *http.ServeMux) (*http.ServeMux, error) {

 		cfg := cmdsHttp.NewServerConfig()
-		cfg.SetAllowedMethods(http.MethodGet, http.MethodPost, http.MethodPut)
+		cfg.AllowGet = allowGet
+		corsAllowedMethods := []string{http.MethodPost}
+		if allowGet {
+			corsAllowedMethods = append(corsAllowedMethods, http.MethodGet)
+		}
+
+		cfg.SetAllowedMethods(corsAllowedMethods...)
 		cfg.APIPath = APIPath
 		rcfg, err := n.Repo.Config()
 		if err != nil {
@ -140,15 +146,15 @@ func commandsOption(cctx oldcmds.Context, command *cmds.Command) ServeOption {
 }

 // CommandsOption constructs a ServerOption for hooking the commands into the
-// HTTP server.
+// HTTP server. It will NOT allow GET requests.
 func CommandsOption(cctx oldcmds.Context) ServeOption {
-	return commandsOption(cctx, corecommands.Root)
+	return commandsOption(cctx, corecommands.Root, false)
 }

 // CommandsROOption constructs a ServerOption for hooking the read-only commands
-// into the HTTP server.
+// into the HTTP server. It will allow GET requests.
 func CommandsROOption(cctx oldcmds.Context) ServeOption {
-	return commandsOption(cctx, corecommands.RootRO)
+	return commandsOption(cctx, corecommands.RootRO, true)
 }

 // CheckVersionOption returns a ServeOption that checks whether the client ipfs version matches. Does nothing when the user agent string does not contain `/go-ipfs/`