fix: limit SW registration to content root

Introduces hardening proposed in:
ipfs/kubo#4025 (comment)

License: MIT
Signed-off-by: Marcin Rataj <lidel@lidel.org>

src/http/gateway/resources/gateway.js

@@ -76,6 +76,11 @@ module.exports = {
       // add trailing slash for directories with implicit index.html
       return h.redirect(`${path}/`).permanent(true)
     }
+    if (request.headers['service-worker'] === 'script') {
+      // Disallow Service Worker registration on /ipfs scope
+      // https://github.com/ipfs/go-ipfs/issues/4025
+      if (path.match(/^\/ip[nf]s\/[^/]+$/)) throw Boom.badRequest('navigator.serviceWorker: registration is not allowed for this scope')
+    }
 
     // Support If-None-Match & Etag (Conditional Requests from RFC7232)
     // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/ETag

test/gateway/index.js

@@ -105,7 +105,7 @@ describe('HTTP Gateway', function () {
     expect(res.headers.suborigin).to.equal(undefined)
   })
 
-  it('400 for request with invalid argument', async () => {
+  it('returns 400 for request with invalid argument', async () => {
     const res = await gateway.inject({
       method: 'GET',
       url: '/ipfs/invalid'
@@ -118,6 +118,18 @@ describe('HTTP Gateway', function () {
     expect(res.headers.suborigin).to.equal(undefined)
   })
 
+  it('returns 400 for service worker registration outside of an IPFS content root', async () => {
+    const res = await gateway.inject({
+      method: 'GET',
+      url: '/ipfs/QmT78zSuBmuS4z925WZfrqQ1qHaJ56DQaTfyMUF7F8ff5o?filename=sw.js',
+      headers: { 'Service-Worker': 'script' }
+    })
+
+    // Expect 400 Bad Request
+    // https://github.com/ipfs/go-ipfs/issues/4025#issuecomment-342250616
+    expect(res.statusCode).to.equal(400)
+  })
+
   it('valid CIDv0', async () => {
     const res = await gateway.inject({
       method: 'GET',