Don not use Access-Control-Allow-Origin: * by default

[Gozala]

Version information:

Repo version: 7
System version: amd64/darwin
Golang version: go1.11.1

Type:

• "bug" critical security issue

Description:

From what I can tell by default go-ipfs configures itself such that API/HTTPHeaders/Access-Control-Allow-Origin is set to [*] which exposes users to attacks from arbitrary sites. Given that API can be used to remote control IPFS node and the fact that any site can exploit that to deploy an attack.

Please consider locking this down properly, in fact I would recommend to go as far as ignoring * value even it is set. REST API should really only talk to handful of origins.

You could have one endpoint for requesting access so that arbitrary sites could trigger it. That would allow daemon to prompt user and add origin if user accepts.

[lidel]

I checked default behavior with vanilla docker images and /api/v0/ exposed on API port does not include Access-Control-Allow-Origin: * – which means access to actual API is blocked.

It seems to be present only for /webui → /ipfs/<cidroot> (the only root allowed on API port)

I agree with @Gozala, AFAIK there is no reason to expose webui resources with Access-Control-Allow-Origin: *

Current state of things below:

v0.4.18

$ docker run --rm -it --net=host ipfs/go-ipfs:v0.4.18 

In v0.4.18 Access-Control-Allow-Origin is not present in the default config for API port:

$ curl 'http://127.0.0.1:5001/api/v0/config?arg=API.HTTPHeaders'
{"Key":"API.HTTPHeaders","Value":{}}

Nor is it hardcoded for /api/v0/ responses:

$ curl -s -I -X GET 'http://127.0.0.1:5001/api/v0/version' | grep -i Access-Control-
Access-Control-Allow-Headers: X-Stream-Output, X-Chunked-Output, X-Content-Length
Access-Control-Expose-Headers: X-Stream-Output, X-Chunked-Output, X-Content-Length

But indeed it seems header is hardcoded somewhere for the whitelisted webui path:

$ curl -s -I -X GET 'http://127.0.0.1:5001/ipfs/QmSDgpiHco5yXdyVTfhKxr3aiJ82ynz8V14QcGKicM3rVh/' | grep -i Access-Control-
Access-Control-Allow-Headers: Content-Range, X-Chunked-Output, X-Stream-Output
Access-Control-Allow-Methods: GET
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: Content-Range, X-Chunked-Output, X-Stream-Output

master (@2019-02-14)

$ docker run --rm -it --net=host ipfs/go-ipfs:master

$ curl -s -I -X GET 'http://127.0.0.1:5001/api/v0/id' | grep -i Access-Control-
Access-Control-Allow-Headers: X-Stream-Output, X-Chunked-Output, X-Content-Length
Access-Control-Expose-Headers: X-Stream-Output, X-Chunked-Output, X-Content-Length

Here behavior changes a bit, probably due to header cleanup done by @Stebalien in #5893,
but * is still present for webui resources:

$ curl -s -I -X GET 'http://127.0.0.1:5001/ipfs/QmSDgpiHco5yXdyVTfhKxr3aiJ82ynz8V14QcGKicM3rVh/' | grep -i Access-Control-                                                                                                ...nion Mfix/remote-wbeui
Access-Control-Allow-Headers: Content-Type
Access-Control-Allow-Headers: Range
Access-Control-Allow-Headers: User-Agent
Access-Control-Allow-Headers: X-Requested-With
Access-Control-Allow-Methods: GET
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: Content-Range
Access-Control-Expose-Headers: X-Chunked-Output
Access-Control-Expose-Headers: X-Stream-Output