Permalink
Browse files

Address an issue where a toxiproxy can be used to bypass the Same-Ori…

…gin Policy in web browsers
  • Loading branch information...
JackMc committed Jun 22, 2017
1 parent a9ae929 commit ecec9758b6f34387c783ca924f550bccea9fa12d
Showing with 14 additions and 2 deletions.
  1. +14 −2 api.go
View
16 api.go
@@ -7,10 +7,11 @@ import (
"net"
"net/http"
"os"
"strings"
"github.com/Shopify/toxiproxy/toxics"
"github.com/sirupsen/logrus"
"github.com/gorilla/mux"
"github.com/sirupsen/logrus"
)
type ApiServer struct {
@@ -46,6 +47,16 @@ func (server *ApiServer) PopulateConfig(filename string) {
}
}
func StopBrowsersMiddleware(h http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if strings.HasPrefix(r.UserAgent(), "Mozilla/") {
http.Error(w, "User agent not allowed", 403)
} else {
h.ServeHTTP(w, r)
}
})
}
func (server *ApiServer) Listen(host string, port string) {
r := mux.NewRouter()
r.HandleFunc("/reset", server.ResetState).Methods("POST")
@@ -62,7 +73,8 @@ func (server *ApiServer) Listen(host string, port string) {
r.HandleFunc("/proxies/{proxy}/toxics/{toxic}", server.ToxicDelete).Methods("DELETE")
r.HandleFunc("/version", server.Version).Methods("GET")
http.Handle("/", r)
http.Handle("/", StopBrowsersMiddleware(r))
logrus.WithFields(logrus.Fields{
"host": host,

0 comments on commit ecec975

Please sign in to comment.