You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Repo version: 7
System version: amd64/darwin
Golang version: go1.11.1
Type:
"bug" critical security issue
Description:
From what I can tell by default go-ipfs configures itself such that API/HTTPHeaders/Access-Control-Allow-Origin is set to [*] which exposes users to attacks from arbitrary sites. Given that API can be used to remote control IPFS node and the fact that any site can exploit that to deploy an attack.
Please consider locking this down properly, in fact I would recommend to go as far as ignoring * value even it is set. REST API should really only talk to handful of origins.
You could have one endpoint for requesting access so that arbitrary sites could trigger it. That would allow daemon to prompt user and add origin if user accepts.
The text was updated successfully, but these errors were encountered:
Gozala
changed the title
Critical Bug: Don not use Access-Control-Allow-Origin: * by default
Don not use Access-Control-Allow-Origin: * by default
Feb 14, 2019
I checked default behavior with vanilla docker images and /api/v0/ exposed on API port does not include Access-Control-Allow-Origin: * – which means access to actual API is blocked.
It seems to be present only for /webui → /ipfs/<cidroot> (the only root allowed on API port)
I agree with @Gozala, AFAIK there is no reason to expose webui resources with Access-Control-Allow-Origin: *
Current state of things below:
v0.4.18
$ docker run --rm -it --net=host ipfs/go-ipfs:v0.4.18
In v0.4.18 Access-Control-Allow-Origin is not present in the default config for API port:
Version information:
Repo version: 7
System version: amd64/darwin
Golang version: go1.11.1
Type:
Description:
From what I can tell by default go-ipfs configures itself such that
API/HTTPHeaders/Access-Control-Allow-Origin
is set to[*]
which exposes users to attacks from arbitrary sites. Given that API can be used to remote control IPFS node and the fact that any site can exploit that to deploy an attack.Please consider locking this down properly, in fact I would recommend to go as far as ignoring
*
value even it is set. REST API should really only talk to handful of origins.You could have one endpoint for requesting access so that arbitrary sites could trigger it. That would allow daemon to prompt user and add origin if user accepts.
The text was updated successfully, but these errors were encountered: