Added API check in requests

master
Kevin 2018-10-26 22:29:25 -05:00
parent 3da06339f6
commit c073020b80
4 changed files with 15 additions and 7 deletions

View File

@ -22,7 +22,7 @@ from flask import request, Response, abort, send_from_directory
from multiprocessing import Process
from gevent.pywsgi import WSGIServer
import sys, random, threading, hmac, hashlib, base64, time, math, os, json
from core import Core
import core
from onionrblockapi import Block
import onionrutils, onionrexceptions, onionrcrypto, blockimporter, onionrevents as events, logger, config
@ -69,7 +69,7 @@ class API:
logger.debug('%s not in %s' % (path, mimetypes))
return 'text/plain'
def __init__(self, debug):
def __init__(self, debug, API_VERSION):
'''
Initialize the api server, preping variables for later use
@ -88,7 +88,7 @@ class API:
self.debug = debug
self._privateDelayTime = 3
self._core = Core()
self._core = core.Core()
self._crypto = onionrcrypto.OnionrCrypto(self._core)
self._utils = onionrutils.OnionrUtils(self._core)
app = flask.Flask(__name__)
@ -133,7 +133,7 @@ class API:
resp.headers["Content-Security-Policy"] = "default-src 'none'; script-src 'none'; object-src 'none'; style-src data: 'unsafe-inline'; img-src data:; media-src 'none'; frame-src 'none'; font-src 'none'; connect-src 'none'"
resp.headers['X-Frame-Options'] = 'deny'
resp.headers['X-Content-Type-Options'] = "nosniff"
resp.headers['server'] = 'Onionr'
resp.headers['api'] = API_VERSION
# reset to text/plain to help prevent browser attacks
self.mimeType = 'text/plain'

View File

@ -30,7 +30,6 @@ import webbrowser
from threading import Thread
import api, core, config, logger, onionrplugins as plugins, onionrevents as events
import onionrutils
from onionrutils import OnionrUtils
from netcontroller import NetController
from onionrblockapi import Block
import onionrproofs, onionrexceptions, onionrusers
@ -98,7 +97,7 @@ class Onionr:
logger.set_level(logger.LEVEL_INFO)
self.onionrCore = core.Core()
self.onionrUtils = OnionrUtils(self.onionrCore)
self.onionrUtils = onionrutils.OnionrUtils(self.onionrCore)
# Handle commands
@ -636,7 +635,7 @@ class Onionr:
'''
communicatorDaemon = './communicator2.py'
apiThread = Thread(target=api.API, args=(self.debug,))
apiThread = Thread(target=api.API, args=(self.debug,API_VERSION))
apiThread.start()
try:
time.sleep(3)

View File

@ -65,6 +65,9 @@ class MissingPort(Exception):
class InvalidAddress(Exception):
pass
class InvalidAPIVersion(Exception):
pass
# file exceptions
class DiskAllocationReached(Exception):

View File

@ -22,6 +22,7 @@ import getpass, sys, requests, os, socket, hashlib, logger, sqlite3, config, bin
import nacl.signing, nacl.encoding
from onionrblockapi import Block
import onionrexceptions
from onionr import API_VERSION
from defusedxml import minidom
import onionrevents
import pgpwords, onionrusers, storagecounter
@ -614,11 +615,16 @@ class OnionrUtils:
try:
proxies = {'http': 'socks4a://127.0.0.1:' + str(port), 'https': 'socks4a://127.0.0.1:' + str(port)}
r = requests.get(url, headers=headers, proxies=proxies, allow_redirects=False, timeout=(15, 30))
# Check server is using same API version as us
if r.headers['api'] != str(API_VERSION):
raise onionrexceptions.InvalidAPIVersion
retData = r.text
except KeyboardInterrupt:
raise KeyboardInterrupt
except ValueError as e:
logger.debug('Failed to make request', error = e)
except onionrexceptions.InvalidAPIVersion:
logger.debug("Node is using different API version :(")
except requests.exceptions.RequestException as e:
if not 'ConnectTimeoutError' in str(e) and not 'Request rejected or failed' in str(e):
logger.debug('Error: %s' % str(e))