From a148826b39b4fee043d0f0c48cea54fe1027b764 Mon Sep 17 00:00:00 2001 From: Kevin Froman Date: Wed, 19 Dec 2018 00:06:25 -0600 Subject: [PATCH] work on revising api --- onionr/api.py | 39 ++++++++++++++++++++++++++++++++++++++- onionr/onionrutils.py | 3 +-- 2 files changed, 39 insertions(+), 3 deletions(-) diff --git a/onionr/api.py b/onionr/api.py index 6499b4d3..afe63d82 100755 --- a/onionr/api.py +++ b/onionr/api.py @@ -25,9 +25,11 @@ import core from onionrblockapi import Block import onionrutils, onionrexceptions, onionrcrypto, blockimporter, onionrevents as events, logger, config, onionr +API_VERSION = 0 + def guessMime(path): ''' - Guesses the mime type from the input filename + Guesses the mime type of a file from the input filename ''' mimetypes = { 'html' : 'text/html', @@ -113,10 +115,45 @@ class API: logger.info('Running api on %s:%s' % (self.host, self.bindPort)) self.httpServer = '' + @app.before_request + def validateRequest(): + '''Validate request has set password and is the correct hostname''' + if request.host != '%s:%s' % (self.host, self.bindPort): + abort(403) + try: + if not hmac.compare_digest(request.headers['token'], self.clientToken): + abort(403) + except KeyError: + abort(403) + + @app.after_request + def afterReq(resp): + resp.headers["Content-Security-Policy"] = "default-src 'none'; script-src 'none'; object-src 'none'; style-src data: 'unsafe-inline'; img-src data:; media-src 'none'; frame-src 'none'; font-src 'none'; connect-src 'none'" + resp.headers['X-Frame-Options'] = 'deny' + resp.headers['X-Content-Type-Options'] = "nosniff" + resp.headers['X-API'] = API_VERSION + resp.headers['Server'] = 'nginx' + resp.headers['Date'] = 'Thu, 1 Jan 1970 00:00:00 GMT' # Clock info is probably useful to attackers. Set to unix epoch. + return resp + + @app.route('/ping') + def ping(): + return Respose("pong!") + @app.route('/') def hello(): return Response("hello client") + @app.route('/waitforshare/', methods='post') + def waitforshare(): + assert name.isalnum() + if name in self.publicAPI.hideBlocks: + self.publicAPI.hideBlocks.remove(name) + return Response("removed") + else: + self.publicAPI.hideBlocks.append(name) + return Response("added") + @app.route('/shutdown') def shutdown(): try: diff --git a/onionr/onionrutils.py b/onionr/onionrutils.py index 6c8ba3e4..75fcb7c2 100644 --- a/onionr/onionrutils.py +++ b/onionr/onionrutils.py @@ -167,12 +167,11 @@ class OnionrUtils: if data != '': data = '&data=' + urllib.parse.quote_plus(data) payload = 'http://%s:%s/%s%s' % (hostname, config.get('client.client.port'), command, data) - logger.info(payload) #payload = 'http://%s:%s/client/?action=%s&token=%s&timingToken=%s' % (hostname, config.get('client.client.port'), command, config.get('client.webpassword'), self.timingToken) #if data != '': # payload += '&data=' + urllib.parse.quote_plus(data) try: - retData = requests.get(payload).text + retData = requests.get(payload, headers={'token': config.get('client.webpassword')}).text except Exception as error: if not silent: logger.error('Failed to make local request (command: %s):%s' % (command, error))