fixed cross-origin security issue

Zergatul · Jul 13, 2022 · b14fe29 · b14fe29
1 parent 99a7518
commit b14fe29
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 3 deletions.
diff --git a/src/Startup.cs b/src/Startup.cs
@@ -1,7 +1,11 @@
 using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Hosting.Server.Features;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Hosting;
 using Microsoft.Extensions.Logging;
+using System;
+using System.Linq;
+using System.Net;
 using Zergatul.Obs.InputOverlay.RawInput;
 using Zergatul.Obs.InputOverlay.RawInput.Device;
 using Zergatul.Obs.InputOverlay.XInput;
@@ -26,6 +30,8 @@ public void ConfigureServices(IServiceCollection services)
 
         public void Configure(IApplicationBuilder app, IHostApplicationLifetime hostAppLifetime, IWebSocketHandler handler)
         {
+            string[] addresses = app.ServerFeatures.Get<IServerAddressesFeature>().Addresses.ToArray();
+
             app.UseDefaultFiles();
             app.UseStaticFiles();
             app.UseWebSockets();
@@ -39,9 +45,17 @@ public void Configure(IApplicationBuilder app, IHostApplicationLifetime hostAppL
             {
                 if (context.Request.Path == "/ws" && context.WebSockets.IsWebSocketRequest)
                 {
-                    using (var ws = await context.WebSockets.AcceptWebSocketAsync())
+                    if (addresses.Any(a1 => context.Request.Headers.Origin.Any(a2 => OriginMatch(a1, a2))))
+                    {
+                        using (var ws = await context.WebSockets.AcceptWebSocketAsync())
+                        {
+                            await handler.HandleWebSocket(ws);
+                        }
+                    }
+                    else
                     {
-                        await handler.HandleWebSocket(ws);
+                        // deny requests from other origins
+                        context.Response.StatusCode = (int)HttpStatusCode.Forbidden;
                     }
                 }
                 else
@@ -50,5 +64,12 @@ public void Configure(IApplicationBuilder app, IHostApplicationLifetime hostAppL
                 }
             });
         }
+
+        private bool OriginMatch(string origin1, string origin2)
+        {
+            Uri uri1 = new Uri(origin1);
+            Uri uri2 = new Uri(origin2);
+            return uri1.Scheme == uri2.Scheme && string.Equals(uri1.Host, uri2.Host, StringComparison.OrdinalIgnoreCase) && uri1.Port == uri2.Port;
+        }
     }
 }
diff --git a/src/Zergatul.Obs.InputOverlay.csproj b/src/Zergatul.Obs.InputOverlay.csproj
@@ -7,7 +7,7 @@
     <RootNamespace>Zergatul.Obs.InputOverlay</RootNamespace>
     <Authors>Zergatul</Authors>
     <RuntimeIdentifier>win-x64</RuntimeIdentifier>
-    <Version>2.2.2</Version>
+    <Version>2.2.3</Version>
     <SupportedOSPlatformVersion>7.0</SupportedOSPlatformVersion>
     <StartupObject>Zergatul.Obs.InputOverlay.Program</StartupObject>
     <PackageProjectUrl>https://github.com/Zergatul/Zergatul.Obs.InputOverlay</PackageProjectUrl>