rusackas commented on code in PR #40625:
URL: https://github.com/apache/superset/pull/40625#discussion_r3342404085
##########
superset-websocket/src/index.ts:
##########
@@ -378,6 +378,31 @@ export const httpRequest = (
}
};
+/**
+ * Validates the `Origin` header of a WebSocket upgrade request against the
+ * configured `allowedOrigins` list, mitigating Cross-Site WebSocket Hijacking.
+ *
+ * When `allowedOrigins` is empty the check is skipped (preserving existing
+ * behavior); a single `'*'` entry explicitly allows any origin. Otherwise the
+ * request's `Origin` must exactly match one of the configured origins.
+ */
+export const isOriginAllowed = (request: http.IncomingMessage): boolean => {
+ const { allowedOrigins } = opts;
+
+ if (!allowedOrigins || allowedOrigins.length === 0) {
+ return true;
+ }
+ if (allowedOrigins.includes('*')) {
+ return true;
+ }
+
+ const origin = request.headers.origin;
+ if (!origin) {
+ return false;
+ }
+ return allowedOrigins.includes(origin);
Review Comment:
Good catch — `request.headers.origin` is `string | string[] | undefined`, so
I now reject anything that is not a single string (`typeof origin !==
'string'`) before the exact-match comparison. Fixed in 571f4279b3.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
