From dd93dd78a928a7e374a03066d93da3bb039adbb2 Mon Sep 17 00:00:00 2001
From: Marcin Rataj <lidel@lidel.org>
Date: Mon, 16 Dec 2019 23:43:40 +0100
Subject: [PATCH] fix: limit SW registration to content root

Introduces hardening proposed in:
https://github.com/ipfs/go-ipfs/issues/4025#issuecomment-342250616

License: MIT
Signed-off-by: Marcin Rataj <lidel@lidel.org>
---
 src/http/gateway/resources/gateway.js |  5 +++++
 test/gateway/index.js                 | 14 +++++++++++++-
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/src/http/gateway/resources/gateway.js b/src/http/gateway/resources/gateway.js
index e084fc3798..7336a2341f 100644
--- a/src/http/gateway/resources/gateway.js
+++ b/src/http/gateway/resources/gateway.js
@@ -76,6 +76,11 @@ module.exports = {
       // add trailing slash for directories with implicit index.html
       return h.redirect(`${path}/`).permanent(true)
     }
+    if (request.headers['service-worker'] === 'script') {
+      // Disallow Service Worker registration on /ipfs scope
+      // https://github.com/ipfs/go-ipfs/issues/4025
+      if (path.match(/^\/ip[nf]s\/[^/]+$/)) throw Boom.badRequest('navigator.serviceWorker: registration is not allowed for this scope')
+    }
 
     // Support If-None-Match & Etag (Conditional Requests from RFC7232)
     // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/ETag
diff --git a/test/gateway/index.js b/test/gateway/index.js
index 66a5efb432..416b6c7eec 100644
--- a/test/gateway/index.js
+++ b/test/gateway/index.js
@@ -105,7 +105,7 @@ describe('HTTP Gateway', function () {
     expect(res.headers.suborigin).to.equal(undefined)
   })
 
-  it('400 for request with invalid argument', async () => {
+  it('returns 400 for request with invalid argument', async () => {
     const res = await gateway.inject({
       method: 'GET',
       url: '/ipfs/invalid'
@@ -118,6 +118,18 @@ describe('HTTP Gateway', function () {
     expect(res.headers.suborigin).to.equal(undefined)
   })
 
+  it('returns 400 for service worker registration outside of an IPFS content root', async () => {
+    const res = await gateway.inject({
+      method: 'GET',
+      url: '/ipfs/QmT78zSuBmuS4z925WZfrqQ1qHaJ56DQaTfyMUF7F8ff5o?filename=sw.js',
+      headers: { 'Service-Worker': 'script' }
+    })
+
+    // Expect 400 Bad Request
+    // https://github.com/ipfs/go-ipfs/issues/4025#issuecomment-342250616
+    expect(res.statusCode).to.equal(400)
+  })
+
   it('valid CIDv0', async () => {
     const res = await gateway.inject({
       method: 'GET',