added loading whitelisted endpoints from plugins

This commit is contained in:
Kevin Froman 2019-08-14 18:44:29 -05:00
parent e267bbbead
commit 3c6cbca0ac
6 changed files with 36 additions and 19 deletions

View File

@ -1,9 +1,9 @@
'''
"""
Onionr - Private P2P Communication
This file registers plugin's flask blueprints for the client http server
'''
'''
"""
"""
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
@ -16,13 +16,14 @@
You should have received a copy of the GNU General Public License
along with this program. If not, see <https://www.gnu.org/licenses/>.
'''
"""
import onionrplugins
def load_plugin_blueprints(flaskapp, blueprint='flask_blueprint'):
'''Iterate enabled plugins and load any http endpoints they have'''
def load_plugin_blueprints(flaskapp, blueprint: str = 'flask_blueprint'):
"""Iterate enabled plugins and load any http endpoints they have"""
for plugin in onionrplugins.get_enabled_plugins():
plugin = onionrplugins.get_plugin(plugin)
try:
flaskapp.register_blueprint(getattr(plugin, blueprint))
except AttributeError:
pass
pass

View File

@ -20,19 +20,18 @@
import hmac
from flask import Blueprint, request, abort, g
from onionrservices import httpheaders
from . import pluginwhitelist
# Be extremely mindful of this. These are endpoints available without a password
whitelist_endpoints = ('siteapi.site', 'www', 'staticfiles.onionrhome', 'staticfiles.homedata',
'staticfiles.board', 'staticfiles.profiles',
'staticfiles.profilesindex',
'staticfiles.boardContent', 'staticfiles.sharedContent',
'staticfiles.mail', 'staticfiles.mailindex', 'staticfiles.friends', 'staticfiles.friendsindex',
'staticfiles.chat', 'staticfiles.chatIndex')
whitelist_endpoints = ['www', 'staticfiles.homedata', 'staticfiles.sharedContent',
'staticfiles.friends', 'staticfiles.friendsindex', 'siteapi.site', 'staticfiles.onionrhome']
class ClientAPISecurity:
def __init__(self, client_api):
client_api_security_bp = Blueprint('clientapisecurity', __name__)
self.client_api_security_bp = client_api_security_bp
self.client_api = client_api
pluginwhitelist.load_plugin_security_whitelist_endpoints(whitelist_endpoints)
@client_api_security_bp.before_app_request
def validate_request():
@ -40,6 +39,13 @@ class ClientAPISecurity:
# For the purpose of preventing DNS rebinding attacks
if request.host != '%s:%s' % (client_api.host, client_api.bindPort):
abort(403)
# Add shared objects
try:
g.too_many = self.client_api._too_many
except KeyError:
g.too_many = None
if request.endpoint in whitelist_endpoints:
return
try:
@ -49,12 +55,6 @@ class ClientAPISecurity:
except KeyError:
if not hmac.compare_digest(request.form['token'], client_api.clientToken):
abort(403)
# Add shared objects
try:
g.too_many = self.client_api._too_many
except KeyError:
g.too_many = None
@client_api_security_bp.after_app_request
def after_req(resp):

View File

@ -0,0 +1,13 @@
import onionrplugins
def load_plugin_security_whitelist_endpoints(whitelist: list):
"""Accept a list reference of whitelist endpoints from security/client.py and
append plugin's specified endpoints to them by attribute"""
for plugin in onionrplugins.get_enabled_plugins():
try:
plugin = onionrplugins.get_plugin(plugin)
except FileNotFoundError:
continue
try:
whitelist.extend(getattr(plugin, "security_whitelist"))
except AttributeError:
pass

View File

@ -31,6 +31,7 @@ sys.path.insert(0, os.path.dirname(os.path.realpath(__file__)))
import controlapi, peerserver
flask_blueprint = controlapi.flask_blueprint
direct_blueprint = peerserver.direct_blueprint
security_whitelist = ['staticfiles.chat', 'staticfiles.chatIndex']
def exit_with_error(text=''):
if text != '':

View File

@ -30,6 +30,7 @@ import deadsimplekv as simplekv
sys.path.insert(0, os.path.dirname(os.path.realpath(__file__)))
import flowapi # import after path insert
flask_blueprint = flowapi.flask_blueprint
security_whitelist = ['staticfiles.boardContent', 'staticfiles.board']
plugin_name = 'flow'
PLUGIN_VERSION = '0.0.1'

View File

@ -36,6 +36,7 @@ PLUGIN_VERSION = '0.0.1'
sys.path.insert(0, os.path.dirname(os.path.realpath(__file__)))
import sentboxdb, mailapi, loadinbox # import after path insert
flask_blueprint = mailapi.flask_blueprint
security_whitelist = ['staticfiles.mail', 'staticfiles.mailindex']
def add_deleted(keyStore, bHash):
existing = keyStore.get('deleted_mail')