work on api with debugging and headers

master
Kevin Froman 2017-12-26 23:00:02 -06:00
parent b6e9e2e002
commit a2beb5971b
No known key found for this signature in database
GPG Key ID: 0D414D0FE405B63B
2 changed files with 28 additions and 4 deletions

28
api.py
View File

@ -13,8 +13,8 @@
You should have received a copy of the GNU General Public License You should have received a copy of the GNU General Public License
along with this program. If not, see <https://www.gnu.org/licenses/>. along with this program. If not, see <https://www.gnu.org/licenses/>.
''' '''
from flask import Flask, request import flask
app = Flask(__name__) from flask import request, Response
import configparser, sys, random import configparser, sys, random
''' '''
Main API Main API
@ -23,6 +23,8 @@ class API:
def __init__(self, config, debug): def __init__(self, config, debug):
self.config = config self.config = config
self.debug = debug
app = flask.Flask(__name__)
bindPort = int(self.config['CLIENT']['PORT']) bindPort = int(self.config['CLIENT']['PORT'])
clientToken = self.config['CLIENT']['CLIENT HMAC'] clientToken = self.config['CLIENT']['CLIENT HMAC']
@ -32,10 +34,26 @@ class API:
else: else:
self.host = '127.0.0.1' self.host = '127.0.0.1'
@app.after_request
def afterReq(resp):
resp.headers['Access-Control-Allow-Origin'] = '*'
resp.headers['server'] = 'Onionr'
resp.headers['content-type'] = 'text/plain'
resp.headers["Content-Security-Policy"] = "default-src 'none'"
resp.headers['x-frame-options'] = 'deny'
return resp
@app.route('/client/hello') @app.route('/client/hello')
def hello_world(): def hello_world():
self.validateHost() self.validateHost()
return 'Hello, World!' + request.host resp = Response('Hello, World!' + request.host)
return resp
@app.errorhandler(404)
def notfound(err):
resp = Response("\_(0_0)_/ I got nothin")
resp.headers = getHeaders(resp)
return resp
print('Starting client on ' + self.host + ':' + str(bindPort)) print('Starting client on ' + self.host + ':' + str(bindPort))
print('Client token:', clientToken) print('Client token:', clientToken)
@ -43,6 +61,8 @@ class API:
app.run(host=self.host, port=bindPort, debug=True) app.run(host=self.host, port=bindPort, debug=True)
def validateHost(self): def validateHost(self):
if self.debug:
return
# Validate host header, to protect against DNS rebinding attacks # Validate host header, to protect against DNS rebinding attacks
if request.host != '127.0.0.1:' + str(self.config['CLIENT']['PORT']): if request.host != '127.0.0.1:' + str(self.config['CLIENT']['PORT']):
sys.exit(1) sys.exit(1)
@ -50,4 +70,4 @@ class API:
try: try:
request.headers['x-requested-with'] request.headers['x-requested-with']
except: except:
sys.exit(1) sys.exit(1)

View File

@ -19,13 +19,17 @@ import gui, api
class Onionr: class Onionr:
def __init__(self): def __init__(self):
# Get configuration and Handle commands
self.debug = True # Whole application debugging self.debug = True # Whole application debugging
os.chdir(sys.path[0]) os.chdir(sys.path[0])
# Get configuration
self.config = configparser.ConfigParser() self.config = configparser.ConfigParser()
if os.path.exists('data/config.ini'): if os.path.exists('data/config.ini'):
self.config.read('data/config.ini') self.config.read('data/config.ini')
else: else:
# Generate default config
# Hostname should only be set if different from 127.x.x.x. Important for DNS rebinding attack prevention. # Hostname should only be set if different from 127.x.x.x. Important for DNS rebinding attack prevention.
if debug: if debug:
randomPort = 8080 randomPort = 8080