From 4013e23312257d79caf4fb5030881d30a62cb618 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?P=C3=A9ter=20Szil=C3=A1gyi?= Date: Thu, 16 Nov 2017 13:51:06 +0200 Subject: rpc: allow dumb empty requests for AWS health checks --- rpc/http.go | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) (limited to 'rpc') diff --git a/rpc/http.go b/rpc/http.go index 3f572b34c..2ac9f6c37 100644 --- a/rpc/http.go +++ b/rpc/http.go @@ -146,13 +146,17 @@ func NewHTTPServer(cors []string, srv *Server) *http.Server { // ServeHTTP serves JSON-RPC requests over HTTP. func (srv *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) { + // Permit dumb empty requests for remote health-checks (AWS) + if r.Method == "GET" && r.ContentLength == 0 && r.URL.RawQuery == "" { + return + } + // For meaningful requests, validate it's size and content type if r.ContentLength > maxHTTPRequestContentLength { http.Error(w, fmt.Sprintf("content length too large (%d>%d)", r.ContentLength, maxHTTPRequestContentLength), http.StatusRequestEntityTooLarge) return } - ct := r.Header.Get("content-type") mt, _, err := mime.ParseMediaType(ct) if err != nil || mt != "application/json" { @@ -161,14 +165,13 @@ func (srv *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) { http.StatusUnsupportedMediaType) return } - - w.Header().Set("content-type", "application/json") - - // create a codec that reads direct from the request body until - // EOF and writes the response to w and order the server to process - // a single request. + // All checks passed, create a codec that reads direct from the request body + // untilEOF and writes the response to w and order the server to process a + // single request. codec := NewJSONCodec(&httpReadWriteNopCloser{r.Body, w}) defer codec.Close() + + w.Header().Set("content-type", "application/json") srv.ServeSingleRequest(codec, OptionMethodInvocation) } -- cgit v1.2.3 From c5b8569707cabe19f861cb67062c07598aff2aa1 Mon Sep 17 00:00:00 2001 From: Armani Ferrante Date: Fri, 17 Nov 2017 04:07:11 -0800 Subject: rpc: disallow PUT and DELETE on HTTP (#15501) Fixes #15493 --- rpc/http.go | 43 ++++++++++++++++++++++++++++--------------- rpc/http_test.go | 40 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 68 insertions(+), 15 deletions(-) create mode 100644 rpc/http_test.go (limited to 'rpc') diff --git a/rpc/http.go b/rpc/http.go index 2ac9f6c37..68634e3fd 100644 --- a/rpc/http.go +++ b/rpc/http.go @@ -33,6 +33,7 @@ import ( ) const ( + contentType = "application/json" maxHTTPRequestContentLength = 1024 * 128 ) @@ -69,8 +70,8 @@ func DialHTTP(endpoint string) (*Client, error) { if err != nil { return nil, err } - req.Header.Set("Content-Type", "application/json") - req.Header.Set("Accept", "application/json") + req.Header.Set("Content-Type", contentType) + req.Header.Set("Accept", contentType) initctx := context.Background() return newClient(initctx, func(context.Context) (net.Conn, error) { @@ -150,21 +151,11 @@ func (srv *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) { if r.Method == "GET" && r.ContentLength == 0 && r.URL.RawQuery == "" { return } - // For meaningful requests, validate it's size and content type - if r.ContentLength > maxHTTPRequestContentLength { - http.Error(w, - fmt.Sprintf("content length too large (%d>%d)", r.ContentLength, maxHTTPRequestContentLength), - http.StatusRequestEntityTooLarge) - return - } - ct := r.Header.Get("content-type") - mt, _, err := mime.ParseMediaType(ct) - if err != nil || mt != "application/json" { - http.Error(w, - "invalid content type, only application/json is supported", - http.StatusUnsupportedMediaType) + if responseCode, errorMessage := httpErrorResponse(r); responseCode != 0 { + http.Error(w, errorMessage, responseCode) return } + // All checks passed, create a codec that reads direct from the request body // untilEOF and writes the response to w and order the server to process a // single request. @@ -175,6 +166,28 @@ func (srv *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) { srv.ServeSingleRequest(codec, OptionMethodInvocation) } +// Returns a non-zero response code and error message if the request is invalid. +func httpErrorResponse(r *http.Request) (int, string) { + if r.Method == "PUT" || r.Method == "DELETE" { + errorMessage := "method not allowed" + return http.StatusMethodNotAllowed, errorMessage + } + + if r.ContentLength > maxHTTPRequestContentLength { + errorMessage := fmt.Sprintf("content length too large (%d>%d)", r.ContentLength, maxHTTPRequestContentLength) + return http.StatusRequestEntityTooLarge, errorMessage + } + + ct := r.Header.Get("content-type") + mt, _, err := mime.ParseMediaType(ct) + if err != nil || mt != contentType { + errorMessage := fmt.Sprintf("invalid content type, only %s is supported", contentType) + return http.StatusUnsupportedMediaType, errorMessage + } + + return 0, "" +} + func newCorsHandler(srv *Server, allowedOrigins []string) http.Handler { // disable CORS support if user has not specified a custom CORS configuration if len(allowedOrigins) == 0 { diff --git a/rpc/http_test.go b/rpc/http_test.go new file mode 100644 index 000000000..f4afd5216 --- /dev/null +++ b/rpc/http_test.go @@ -0,0 +1,40 @@ +package rpc + +import ( + "net/http" + "net/http/httptest" + "strings" + "testing" +) + +func TestHTTPErrorResponseWithDelete(t *testing.T) { + httpErrorResponseTest(t, "DELETE", contentType, "", http.StatusMethodNotAllowed) +} + +func TestHTTPErrorResponseWithPut(t *testing.T) { + httpErrorResponseTest(t, "PUT", contentType, "", http.StatusMethodNotAllowed) +} + +func TestHTTPErrorResponseWithMaxContentLength(t *testing.T) { + body := make([]rune, maxHTTPRequestContentLength+1, maxHTTPRequestContentLength+1) + httpErrorResponseTest(t, + "POST", contentType, string(body), http.StatusRequestEntityTooLarge) +} + +func TestHTTPErrorResponseWithEmptyContentType(t *testing.T) { + httpErrorResponseTest(t, "POST", "", "", http.StatusUnsupportedMediaType) +} + +func TestHTTPErrorResponseWithValidRequest(t *testing.T) { + httpErrorResponseTest(t, "POST", contentType, "", 0) +} + +func httpErrorResponseTest(t *testing.T, + method, contentType, body string, expectedResponse int) { + + request := httptest.NewRequest(method, "http://url.com", strings.NewReader(body)) + request.Header.Set("content-type", contentType) + if response, _ := httpErrorResponse(request); response != expectedResponse { + t.Fatalf("response code should be %d not %d", expectedResponse, response) + } +} -- cgit v1.2.3 From 3c6b9c5d726e6dda72f469fefd1a37b37a0a1621 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?P=C3=A9ter=20Szil=C3=A1gyi?= Date: Fri, 17 Nov 2017 14:18:46 +0200 Subject: rpc: minor cleanups to RPC PR --- rpc/http.go | 32 ++++++++++++++------------------ rpc/http_test.go | 34 ++++++++++++++++++++++++---------- 2 files changed, 38 insertions(+), 28 deletions(-) (limited to 'rpc') diff --git a/rpc/http.go b/rpc/http.go index 68634e3fd..5941c0677 100644 --- a/rpc/http.go +++ b/rpc/http.go @@ -20,6 +20,7 @@ import ( "bytes" "context" "encoding/json" + "errors" "fmt" "io" "io/ioutil" @@ -151,41 +152,36 @@ func (srv *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) { if r.Method == "GET" && r.ContentLength == 0 && r.URL.RawQuery == "" { return } - if responseCode, errorMessage := httpErrorResponse(r); responseCode != 0 { - http.Error(w, errorMessage, responseCode) + if code, err := validateRequest(r); err != nil { + http.Error(w, err.Error(), code) return } - // All checks passed, create a codec that reads direct from the request body // untilEOF and writes the response to w and order the server to process a // single request. codec := NewJSONCodec(&httpReadWriteNopCloser{r.Body, w}) defer codec.Close() - w.Header().Set("content-type", "application/json") + w.Header().Set("content-type", contentType) srv.ServeSingleRequest(codec, OptionMethodInvocation) } -// Returns a non-zero response code and error message if the request is invalid. -func httpErrorResponse(r *http.Request) (int, string) { +// validateRequest returns a non-zero response code and error message if the +// request is invalid. +func validateRequest(r *http.Request) (int, error) { if r.Method == "PUT" || r.Method == "DELETE" { - errorMessage := "method not allowed" - return http.StatusMethodNotAllowed, errorMessage + return http.StatusMethodNotAllowed, errors.New("method not allowed") } - if r.ContentLength > maxHTTPRequestContentLength { - errorMessage := fmt.Sprintf("content length too large (%d>%d)", r.ContentLength, maxHTTPRequestContentLength) - return http.StatusRequestEntityTooLarge, errorMessage + err := fmt.Errorf("content length too large (%d>%d)", r.ContentLength, maxHTTPRequestContentLength) + return http.StatusRequestEntityTooLarge, err } - - ct := r.Header.Get("content-type") - mt, _, err := mime.ParseMediaType(ct) + mt, _, err := mime.ParseMediaType(r.Header.Get("content-type")) if err != nil || mt != contentType { - errorMessage := fmt.Sprintf("invalid content type, only %s is supported", contentType) - return http.StatusUnsupportedMediaType, errorMessage + err := fmt.Errorf("invalid content type, only %s is supported", contentType) + return http.StatusUnsupportedMediaType, err } - - return 0, "" + return 0, nil } func newCorsHandler(srv *Server, allowedOrigins []string) http.Handler { diff --git a/rpc/http_test.go b/rpc/http_test.go index f4afd5216..1cb7a7acb 100644 --- a/rpc/http_test.go +++ b/rpc/http_test.go @@ -1,3 +1,19 @@ +// Copyright 2017 The go-ethereum Authors +// This file is part of the go-ethereum library. +// +// The go-ethereum library is free software: you can redistribute it and/or modify +// it under the terms of the GNU Lesser General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. +// +// The go-ethereum library is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU Lesser General Public License for more details. +// +// You should have received a copy of the GNU Lesser General Public License +// along with the go-ethereum library. If not, see . + package rpc import ( @@ -8,33 +24,31 @@ import ( ) func TestHTTPErrorResponseWithDelete(t *testing.T) { - httpErrorResponseTest(t, "DELETE", contentType, "", http.StatusMethodNotAllowed) + testHTTPErrorResponse(t, "DELETE", contentType, "", http.StatusMethodNotAllowed) } func TestHTTPErrorResponseWithPut(t *testing.T) { - httpErrorResponseTest(t, "PUT", contentType, "", http.StatusMethodNotAllowed) + testHTTPErrorResponse(t, "PUT", contentType, "", http.StatusMethodNotAllowed) } func TestHTTPErrorResponseWithMaxContentLength(t *testing.T) { body := make([]rune, maxHTTPRequestContentLength+1, maxHTTPRequestContentLength+1) - httpErrorResponseTest(t, + testHTTPErrorResponse(t, "POST", contentType, string(body), http.StatusRequestEntityTooLarge) } func TestHTTPErrorResponseWithEmptyContentType(t *testing.T) { - httpErrorResponseTest(t, "POST", "", "", http.StatusUnsupportedMediaType) + testHTTPErrorResponse(t, "POST", "", "", http.StatusUnsupportedMediaType) } func TestHTTPErrorResponseWithValidRequest(t *testing.T) { - httpErrorResponseTest(t, "POST", contentType, "", 0) + testHTTPErrorResponse(t, "POST", contentType, "", 0) } -func httpErrorResponseTest(t *testing.T, - method, contentType, body string, expectedResponse int) { - +func testHTTPErrorResponse(t *testing.T, method, contentType, body string, expected int) { request := httptest.NewRequest(method, "http://url.com", strings.NewReader(body)) request.Header.Set("content-type", contentType) - if response, _ := httpErrorResponse(request); response != expectedResponse { - t.Fatalf("response code should be %d not %d", expectedResponse, response) + if code, _ := validateRequest(request); code != expected { + t.Fatalf("response code should be %d not %d", expected, code) } } -- cgit v1.2.3