Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Vulnerability] Server (socket.io) is possible to be accessed from socket.io client #790

Closed
rxri opened this issue Dec 17, 2021 · 1 comment · Fixed by #791
Closed

[Vulnerability] Server (socket.io) is possible to be accessed from socket.io client #790

rxri opened this issue Dec 17, 2021 · 1 comment · Fixed by #791
Labels
security Pull requests that address a security vulnerability

Comments

@rxri
Copy link
Contributor

rxri commented Dec 17, 2021

Explanation

Some time ago, there was fix for allowing only chrome extension to connect to server (PreMiD app), but I noticed that I can still access server by just selecting transport as websocket. It works on localhost and can be done on websites. It allows to receive and emit events to socket. Related to #501

Steps to reproduce

and PreMiD app should open file dialog to "select local presence"

Code to access socket

const socket = io("ws://localhost:3020", { transports: ["websocket"] });

socket.on("connect", io => {
		console.log("Sending event getVersion");
		socket.emit("getVersion");
		console.log("Sending event selectLocalPresence");
		socket.emit("selectLocalPresence");
	});

socket.on("receiveVersion", version => {
		console.log(`App version: ${version}`);
	});

socket.on("discordUser", user => {
		console.log(`Discord user: ${user}`);
	});

Tested on latest PreMiD app (2.2.0)

@TheDropX TheDropX added the security Pull requests that address a security vulnerability label Dec 18, 2021
@rxri
Copy link
Contributor Author

rxri commented Dec 18, 2021

Fixed CORS, just check if there is origin header 🤷‍♀️, like before. This code has been removed in v2.2.0 for no reason when there was update to socket.io v3.

io = new socketIo.Server(server, {
			serveClient: false,
			allowEIO3: true,
			allowRequest: (req, callback) => {
				const noOriginHeader = req.headers.origin === undefined;
				callback(null, noOriginHeader);
			}
		});

Fixed in #791

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
security Pull requests that address a security vulnerability
Development

Successfully merging a pull request may close this issue.

2 participants