From 81f71b86e8dd20fe0a640a7d97543e8f7022ebd2 Mon Sep 17 00:00:00 2001 From: dengwenjun Date: Mon, 4 Aug 2025 14:50:09 +0800 Subject: [PATCH] =?UTF-8?q?=E8=B0=83=E8=AF=95WebSocket=E8=BF=9E=E6=8E=A5?= =?UTF-8?q?=E5=A2=9E=E5=8A=A0Origin=E5=AD=97=E6=AE=B5=E6=A0=A1=E9=AA=8C?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 在http连接升级为WebSocket连接时,添加对Origin字段的校验,避免被恶意抢占连接 Issue:https://gitee.com/openharmony/arkcompiler_toolchain/issues/ICQX85 Signed-off-by: dengwenjun --- websocket/http.cpp | 4 ++++ websocket/http.h | 1 + websocket/test/http_decoder_test.cpp | 26 ++++++++++++++++++++++++-- 3 files changed, 29 insertions(+), 2 deletions(-) diff --git a/websocket/http.cpp b/websocket/http.cpp index fb897a8d..888e40b9 100644 --- a/websocket/http.cpp +++ b/websocket/http.cpp @@ -62,6 +62,10 @@ bool HttpRequest::Decode(const std::string& request, HttpRequest& parsed) return false; } + if (request.find(ORIGIN) != std::string::npos) { + return false; + } + parsed.version = DecodeVersion(request, pos); parsed.connection = DecodeHeader(request, CONNECTION); parsed.upgrade = DecodeHeader(request, UPGRADE); diff --git a/websocket/http.h b/websocket/http.h index 8955404f..04efd2d4 100644 --- a/websocket/http.h +++ b/websocket/http.h @@ -24,6 +24,7 @@ struct HttpBase { static constexpr std::string_view GET = "GET"; static constexpr std::string_view CONNECTION = "Connection: "; static constexpr std::string_view UPGRADE = "Upgrade: "; + static constexpr std::string_view ORIGIN = "Origin: "; static constexpr std::string_view SEC_WEBSOCKET_ACCEPT = "Sec-WebSocket-Accept: "; static constexpr std::string_view SEC_WEBSOCKET_KEY = "Sec-WebSocket-Key: "; diff --git a/websocket/test/http_decoder_test.cpp b/websocket/test/http_decoder_test.cpp index 55472dbe..ac111ee6 100644 --- a/websocket/test/http_decoder_test.cpp +++ b/websocket/test/http_decoder_test.cpp @@ -23,7 +23,7 @@ using namespace OHOS::ArkCompiler::Toolchain; namespace panda::test { class HttpDecoderTest : public testing::Test { public: - static constexpr std::string_view REQUEST_HEADERS = "GET / HTTP/1.1\r\n" + static constexpr std::string_view REQUEST_ORIGIN_HEADERS = "GET / HTTP/1.1\r\n" "Host: 127.0.0.1:19015\r\n" "Connection: Upgrade\r\n" "Pragma: no-cache\r\n" @@ -36,6 +36,20 @@ public: "Accept-Language: en-US,en;q=0.9\r\n" "Sec-WebSocket-Key: AyuTxzyBTJJdViDskomT0Q==\r\n" "Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits\r\n\r\n"; + std::string originRequestHeaders = std::string(REQUEST_ORIGIN_HEADERS); + + static constexpr std::string_view REQUEST_HEADERS = "GET / HTTP/1.1\r\n" + "Host: 127.0.0.1:19015\r\n" + "Connection: Upgrade\r\n" + "Pragma: no-cache\r\n" + "Cache-Control: no-cache\r\n" + "User-Agent: Mozilla/5.0 (X11; Linux x86_64) Chrome/117.0.0.0 Safari/537.36\r\n" + "Upgrade: websocket\r\n" + "Sec-WebSocket-Version: 13\r\n" + "Accept-Encoding: gzip, deflate, br\r\n" + "Accept-Language: en-US,en;q=0.9\r\n" + "Sec-WebSocket-Key: AyuTxzyBTJJdViDskomT0Q==\r\n" + "Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits\r\n\r\n"; std::string requestHeaders = std::string(REQUEST_HEADERS); static constexpr std::string_view ERR_REQUEST_HEADERS = "GEY\r\n"; @@ -63,7 +77,7 @@ public: static constexpr std::string_view EXPECTED_SEC_WEBSOCKET_KEY = "AyuTxzyBTJJdViDskomT0Q=="; }; -HWTEST_F(HttpDecoderTest, TestRequestDecode, testing::ext::TestSize.Level0) +HWTEST_F(HttpDecoderTest, TestRequestDecode_1, testing::ext::TestSize.Level0) { HttpRequest parsed; auto succeeded = HttpRequest::Decode(requestHeaders, parsed); @@ -75,6 +89,14 @@ HWTEST_F(HttpDecoderTest, TestRequestDecode, testing::ext::TestSize.Level0) ASSERT_EQ(parsed.secWebSocketKey, EXPECTED_SEC_WEBSOCKET_KEY); } +HWTEST_F(HttpDecoderTest, TestRequestDecode_2, testing::ext::TestSize.Level0) +{ + HttpRequest parsed; + auto succeeded = HttpRequest::Decode(originRequestHeaders, parsed); + + ASSERT_FALSE(succeeded); +} + HWTEST_F(HttpDecoderTest, TestAbnormalRequestDecode, testing::ext::TestSize.Level0) { HttpRequest parsed; -- Gitee