[PS-1152] CLI serve forbid browser requests (#3220)

* Inconsiquential change to allow a draft PR * Serve blocks requests from browsers by default Option is provided to override this behavior for backwards compatibility. * Revert "Inconsiquential change to allow a draft PR" This reverts commit 0f51344c35.
2022-08-05 09:27:11 -06:00 · 2022-08-05 09:27:11 -06:00 · e7220644d1
parent 7526b46bfd
commit e7220644d1
2 changed files with 22 additions and 1 deletions
--- a/apps/cli/src/commands/serve.command.ts
+++ b/apps/cli/src/commands/serve.command.ts
@ -149,14 +149,31 @@ export class ServeCommand {
  }

  async run(options: program.OptionValues) {
+    const protectOrigin = !options.disableOriginProtection;
    const port = options.port || 8087;
    const hostname = options.hostname || "localhost";
+    this.main.logService.info(
+      `Starting server on ${hostname}:${port} with ${
+        protectOrigin ? "origin protection" : "no origin protection"
+      }`
+    );
+
    const server = new koa();
    const router = new koaRouter();
    process.env.BW_SERVE = "true";
    process.env.BW_NOINTERACTION = "true";

-    server.use(koaBodyParser()).use(koaJson({ pretty: false, param: "pretty" }));
+    server
+      .use(async (ctx, next) => {
+        if (protectOrigin && ctx.headers.origin != undefined) {
+          ctx.status = 403;
+          this.main.logService.warning(`Blocking request from ${ctx.headers.origin}`);
+          return;
+        }
+        await next();
+      })
+      .use(koaBodyParser())
+      .use(koaJson({ pretty: false, param: "pretty" }));

    router.get("/generate", async (ctx, next) => {
      const response = await this.generateCommand.run(ctx.request.query);
--- a/apps/cli/src/program.ts
+++ b/apps/cli/src/program.ts
@ -476,6 +476,10 @@ export class Program extends BaseProgram {
        .description("Start a RESTful API webserver.")
        .option("--hostname <hostname>", "The hostname to bind your API webserver to.")
        .option("--port <port>", "The port to run your API webserver on.")
+        .option(
+          "--disable-origin-protection",
+          "If set, allows requests with origin header. Not recommended!"
+        )
        .on("--help", () => {
          writeLn("\n  Notes:");
          writeLn("");