Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Adjust filtering logic for secure contexts; improve tests #579

Merged
merged 5 commits into from
Aug 12, 2024
Merged

fix: Adjust filtering logic for secure contexts; improve tests #579

merged 5 commits into from
Aug 12, 2024

Conversation

acul71
Copy link
Contributor

@acul71 acul71 commented Aug 8, 2024
edited
Loading

Title

fix: Update filtering logic to respect secure contexts and enhance related tests

Description

This PR addresses issue #564 by modifying the multiaddr filtering logic in the trustless-gateway module to ensure that allowInsecure: false respects Secure Contexts.

Changes Made:

IP Address Filtering:
Modified the filter to ensure that when allowInsecure is false, a multiaddr with "127.0.0.1" as the IP address will still be considered valid. This addresses the need to handle secure contexts properly even when allowInsecure is disabled.
Domain Filtering:
Adjusted the filter to ensure that when allowInsecure is false, a multiaddr with "localhost" as the domain will be treated as valid.
Updated the filter to handle domains with a parent domain of "localhost", such as example.localhost, foobar.localhost, and *.localhost.

// When allowInsecure is false and allowLocal is true, allow multiaddrs with "127.0.0.1", "localhost", or any subdomain ending with ".localhost"
    if (!allowInsecure && allowLocal) {
      if (ma.toOptions().host === '127.0.0.1' || ma.toOptions().host === 'localhost' || ma.toOptions().host.endsWith('.localhost'))
        return true
    }

Tests Added:

Added tests to verify that the changes work as intended:
IP Address Test: Ensures that "127.0.0.1" is treated correctly when allowInsecure is false.
Domain Test: Verifies that "localhost" and parent domains of "localhost" are handled correctly when allowInsecure is false.
Related: GitHub Issue #564

  it('filterNonHTTPMultiaddrs allows 127.0.0.1 when allowInsecure=false', async function () {
    const localMaddr = uriToMultiaddr('http://127.0.0.1')

    const filtered = filterNonHTTPMultiaddrs([localMaddr], false, true)

    expect(filtered.length).to.deep.equal(1)
  })

  it('filterNonHTTPMultiaddrs allows localhost when allowInsecure=false', async function () {
    const localMaddr = uriToMultiaddr('http://localhost')

    const filtered = filterNonHTTPMultiaddrs([localMaddr], false, true)

    expect(filtered.length).to.deep.equal(1)
  })

  it('filterNonHTTPMultiaddrs allows *.localhost when allowInsecure=false', async function () {
    const localMaddr = uriToMultiaddr('http://example.localhost')

    const filtered = filterNonHTTPMultiaddrs([localMaddr], false, true)

    expect(filtered.length).to.deep.equal(1)
  })

Notes & open questions

None at the moment. The changes have been tested and are working as expected.

Change checklist

  • I have performed a self-review of my own code
  • I have made corresponding changes to the documentation if necessary (this includes comments as well)
  • I have added tests that prove my fix is effective or that my feature works

@acul71 acul71 requested a review from a team as a code owner August 8, 2024 11:42
@acul71 acul71 changed the title Fix issue #564: Modify filtering logic and update related tests fix: Update filtering logic to respect secure contexts and enhance related tests Aug 8, 2024
@acul71 acul71 changed the title fix: Update filtering logic to respect secure contexts and enhance related tests fix: Adjust filtering logic for secure contexts; improve tests Aug 8, 2024
@SgtPooki SgtPooki linked an issue Aug 9, 2024 that may be closed by this pull request
allowInsecure: false should respect Secure Contexts #564
Closed
SgtPooki
SgtPooki requested changes Aug 9, 2024
View reviewed changes
Copy link
Member

@SgtPooki SgtPooki left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, one suggested improvement. thanks a ton for throwing this together :)

packages/block-brokers/src/trustless-gateway/utils.ts Outdated Show resolved Hide resolved
@acul71 acul71 requested a review from SgtPooki August 10, 2024 15:58
@SgtPooki SgtPooki merged commit ac4bdb8 into ipfs:main Aug 12, 2024
18 checks passed
@achingbrain achingbrain mentioned this pull request Aug 12, 2024
Merged
@acul71 acul71 deleted the fix-issue-564 branch September 11, 2024 15:14
@SgtPooki SgtPooki mentioned this pull request Sep 24, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SgtPooki SgtPooki SgtPooki approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

allowInsecure: false should respect Secure Contexts
2 participants
@acul71 @SgtPooki