From 9619a610248e9630968ba1d9be8e214b645c9c55 Mon Sep 17 00:00:00 2001 From: ferhat elmas Date: Wed, 8 Nov 2017 11:45:52 +0100 Subject: all: gofmt -w -s (#15419) --- rpc/subscription_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'rpc') diff --git a/rpc/subscription_test.go b/rpc/subscription_test.go index 39f759692..0ba177e63 100644 --- a/rpc/subscription_test.go +++ b/rpc/subscription_test.go @@ -290,7 +290,7 @@ func TestSubscriptionMultipleNamespaces(t *testing.T) { for { done := true - for id, _ := range count { + for id := range count { if count, found := count[id]; !found || count < (2*n) { done = false } -- cgit v1.2.3 From 4fe30bf5ade8849bb3971a0edad95d17d99e8778 Mon Sep 17 00:00:00 2001 From: bas-vk Date: Thu, 9 Nov 2017 10:54:58 +0100 Subject: rpc: check content-type for HTTP requests (#15220) --- rpc/http.go | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'rpc') diff --git a/rpc/http.go b/rpc/http.go index 4143e2a8d..3f572b34c 100644 --- a/rpc/http.go +++ b/rpc/http.go @@ -23,6 +23,7 @@ import ( "fmt" "io" "io/ioutil" + "mime" "net" "net/http" "sync" @@ -151,6 +152,16 @@ func (srv *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) { http.StatusRequestEntityTooLarge) return } + + ct := r.Header.Get("content-type") + mt, _, err := mime.ParseMediaType(ct) + if err != nil || mt != "application/json" { + http.Error(w, + "invalid content type, only application/json is supported", + http.StatusUnsupportedMediaType) + return + } + w.Header().Set("content-type", "application/json") // create a codec that reads direct from the request body until -- cgit v1.2.3 From 3ee86a57f328530707974288e9db87b7c05283f9 Mon Sep 17 00:00:00 2001 From: Benoit Verkindt Date: Fri, 10 Nov 2017 01:22:06 -0800 Subject: rpc: warn on WebSocket origin mismatch (#15451) Fixes #15373 --- rpc/websocket.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'rpc') diff --git a/rpc/websocket.go b/rpc/websocket.go index 5f9593a43..4214fc86a 100644 --- a/rpc/websocket.go +++ b/rpc/websocket.go @@ -83,7 +83,7 @@ func wsHandshakeValidator(allowedOrigins []string) func(*websocket.Config, *http if allowAllOrigins || origins.Has(origin) { return nil } - log.Debug(fmt.Sprintf("origin '%s' not allowed on WS-RPC interface\n", origin)) + log.Warn(fmt.Sprintf("origin '%s' not allowed on WS-RPC interface\n", origin)) return fmt.Errorf("origin %s not allowed", origin) } -- cgit v1.2.3 From 4013e23312257d79caf4fb5030881d30a62cb618 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?P=C3=A9ter=20Szil=C3=A1gyi?= Date: Thu, 16 Nov 2017 13:51:06 +0200 Subject: rpc: allow dumb empty requests for AWS health checks --- rpc/http.go | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) (limited to 'rpc') diff --git a/rpc/http.go b/rpc/http.go index 3f572b34c..2ac9f6c37 100644 --- a/rpc/http.go +++ b/rpc/http.go @@ -146,13 +146,17 @@ func NewHTTPServer(cors []string, srv *Server) *http.Server { // ServeHTTP serves JSON-RPC requests over HTTP. func (srv *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) { + // Permit dumb empty requests for remote health-checks (AWS) + if r.Method == "GET" && r.ContentLength == 0 && r.URL.RawQuery == "" { + return + } + // For meaningful requests, validate it's size and content type if r.ContentLength > maxHTTPRequestContentLength { http.Error(w, fmt.Sprintf("content length too large (%d>%d)", r.ContentLength, maxHTTPRequestContentLength), http.StatusRequestEntityTooLarge) return } - ct := r.Header.Get("content-type") mt, _, err := mime.ParseMediaType(ct) if err != nil || mt != "application/json" { @@ -161,14 +165,13 @@ func (srv *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) { http.StatusUnsupportedMediaType) return } - - w.Header().Set("content-type", "application/json") - - // create a codec that reads direct from the request body until - // EOF and writes the response to w and order the server to process - // a single request. + // All checks passed, create a codec that reads direct from the request body + // untilEOF and writes the response to w and order the server to process a + // single request. codec := NewJSONCodec(&httpReadWriteNopCloser{r.Body, w}) defer codec.Close() + + w.Header().Set("content-type", "application/json") srv.ServeSingleRequest(codec, OptionMethodInvocation) } -- cgit v1.2.3 From c5b8569707cabe19f861cb67062c07598aff2aa1 Mon Sep 17 00:00:00 2001 From: Armani Ferrante Date: Fri, 17 Nov 2017 04:07:11 -0800 Subject: rpc: disallow PUT and DELETE on HTTP (#15501) Fixes #15493 --- rpc/http.go | 43 ++++++++++++++++++++++++++++--------------- rpc/http_test.go | 40 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 68 insertions(+), 15 deletions(-) create mode 100644 rpc/http_test.go (limited to 'rpc') diff --git a/rpc/http.go b/rpc/http.go index 2ac9f6c37..68634e3fd 100644 --- a/rpc/http.go +++ b/rpc/http.go @@ -33,6 +33,7 @@ import ( ) const ( + contentType = "application/json" maxHTTPRequestContentLength = 1024 * 128 ) @@ -69,8 +70,8 @@ func DialHTTP(endpoint string) (*Client, error) { if err != nil { return nil, err } - req.Header.Set("Content-Type", "application/json") - req.Header.Set("Accept", "application/json") + req.Header.Set("Content-Type", contentType) + req.Header.Set("Accept", contentType) initctx := context.Background() return newClient(initctx, func(context.Context) (net.Conn, error) { @@ -150,21 +151,11 @@ func (srv *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) { if r.Method == "GET" && r.ContentLength == 0 && r.URL.RawQuery == "" { return } - // For meaningful requests, validate it's size and content type - if r.ContentLength > maxHTTPRequestContentLength { - http.Error(w, - fmt.Sprintf("content length too large (%d>%d)", r.ContentLength, maxHTTPRequestContentLength), - http.StatusRequestEntityTooLarge) - return - } - ct := r.Header.Get("content-type") - mt, _, err := mime.ParseMediaType(ct) - if err != nil || mt != "application/json" { - http.Error(w, - "invalid content type, only application/json is supported", - http.StatusUnsupportedMediaType) + if responseCode, errorMessage := httpErrorResponse(r); responseCode != 0 { + http.Error(w, errorMessage, responseCode) return } + // All checks passed, create a codec that reads direct from the request body // untilEOF and writes the response to w and order the server to process a // single request. @@ -175,6 +166,28 @@ func (srv *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) { srv.ServeSingleRequest(codec, OptionMethodInvocation) } +// Returns a non-zero response code and error message if the request is invalid. +func httpErrorResponse(r *http.Request) (int, string) { + if r.Method == "PUT" || r.Method == "DELETE" { + errorMessage := "method not allowed" + return http.StatusMethodNotAllowed, errorMessage + } + + if r.ContentLength > maxHTTPRequestContentLength { + errorMessage := fmt.Sprintf("content length too large (%d>%d)", r.ContentLength, maxHTTPRequestContentLength) + return http.StatusRequestEntityTooLarge, errorMessage + } + + ct := r.Header.Get("content-type") + mt, _, err := mime.ParseMediaType(ct) + if err != nil || mt != contentType { + errorMessage := fmt.Sprintf("invalid content type, only %s is supported", contentType) + return http.StatusUnsupportedMediaType, errorMessage + } + + return 0, "" +} + func newCorsHandler(srv *Server, allowedOrigins []string) http.Handler { // disable CORS support if user has not specified a custom CORS configuration if len(allowedOrigins) == 0 { diff --git a/rpc/http_test.go b/rpc/http_test.go new file mode 100644 index 000000000..f4afd5216 --- /dev/null +++ b/rpc/http_test.go @@ -0,0 +1,40 @@ +package rpc + +import ( + "net/http" + "net/http/httptest" + "strings" + "testing" +) + +func TestHTTPErrorResponseWithDelete(t *testing.T) { + httpErrorResponseTest(t, "DELETE", contentType, "", http.StatusMethodNotAllowed) +} + +func TestHTTPErrorResponseWithPut(t *testing.T) { + httpErrorResponseTest(t, "PUT", contentType, "", http.StatusMethodNotAllowed) +} + +func TestHTTPErrorResponseWithMaxContentLength(t *testing.T) { + body := make([]rune, maxHTTPRequestContentLength+1, maxHTTPRequestContentLength+1) + httpErrorResponseTest(t, + "POST", contentType, string(body), http.StatusRequestEntityTooLarge) +} + +func TestHTTPErrorResponseWithEmptyContentType(t *testing.T) { + httpErrorResponseTest(t, "POST", "", "", http.StatusUnsupportedMediaType) +} + +func TestHTTPErrorResponseWithValidRequest(t *testing.T) { + httpErrorResponseTest(t, "POST", contentType, "", 0) +} + +func httpErrorResponseTest(t *testing.T, + method, contentType, body string, expectedResponse int) { + + request := httptest.NewRequest(method, "http://url.com", strings.NewReader(body)) + request.Header.Set("content-type", contentType) + if response, _ := httpErrorResponse(request); response != expectedResponse { + t.Fatalf("response code should be %d not %d", expectedResponse, response) + } +} -- cgit v1.2.3 From 3c6b9c5d726e6dda72f469fefd1a37b37a0a1621 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?P=C3=A9ter=20Szil=C3=A1gyi?= Date: Fri, 17 Nov 2017 14:18:46 +0200 Subject: rpc: minor cleanups to RPC PR --- rpc/http.go | 32 ++++++++++++++------------------ rpc/http_test.go | 34 ++++++++++++++++++++++++---------- 2 files changed, 38 insertions(+), 28 deletions(-) (limited to 'rpc') diff --git a/rpc/http.go b/rpc/http.go index 68634e3fd..5941c0677 100644 --- a/rpc/http.go +++ b/rpc/http.go @@ -20,6 +20,7 @@ import ( "bytes" "context" "encoding/json" + "errors" "fmt" "io" "io/ioutil" @@ -151,41 +152,36 @@ func (srv *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) { if r.Method == "GET" && r.ContentLength == 0 && r.URL.RawQuery == "" { return } - if responseCode, errorMessage := httpErrorResponse(r); responseCode != 0 { - http.Error(w, errorMessage, responseCode) + if code, err := validateRequest(r); err != nil { + http.Error(w, err.Error(), code) return } - // All checks passed, create a codec that reads direct from the request body // untilEOF and writes the response to w and order the server to process a // single request. codec := NewJSONCodec(&httpReadWriteNopCloser{r.Body, w}) defer codec.Close() - w.Header().Set("content-type", "application/json") + w.Header().Set("content-type", contentType) srv.ServeSingleRequest(codec, OptionMethodInvocation) } -// Returns a non-zero response code and error message if the request is invalid. -func httpErrorResponse(r *http.Request) (int, string) { +// validateRequest returns a non-zero response code and error message if the +// request is invalid. +func validateRequest(r *http.Request) (int, error) { if r.Method == "PUT" || r.Method == "DELETE" { - errorMessage := "method not allowed" - return http.StatusMethodNotAllowed, errorMessage + return http.StatusMethodNotAllowed, errors.New("method not allowed") } - if r.ContentLength > maxHTTPRequestContentLength { - errorMessage := fmt.Sprintf("content length too large (%d>%d)", r.ContentLength, maxHTTPRequestContentLength) - return http.StatusRequestEntityTooLarge, errorMessage + err := fmt.Errorf("content length too large (%d>%d)", r.ContentLength, maxHTTPRequestContentLength) + return http.StatusRequestEntityTooLarge, err } - - ct := r.Header.Get("content-type") - mt, _, err := mime.ParseMediaType(ct) + mt, _, err := mime.ParseMediaType(r.Header.Get("content-type")) if err != nil || mt != contentType { - errorMessage := fmt.Sprintf("invalid content type, only %s is supported", contentType) - return http.StatusUnsupportedMediaType, errorMessage + err := fmt.Errorf("invalid content type, only %s is supported", contentType) + return http.StatusUnsupportedMediaType, err } - - return 0, "" + return 0, nil } func newCorsHandler(srv *Server, allowedOrigins []string) http.Handler { diff --git a/rpc/http_test.go b/rpc/http_test.go index f4afd5216..1cb7a7acb 100644 --- a/rpc/http_test.go +++ b/rpc/http_test.go @@ -1,3 +1,19 @@ +// Copyright 2017 The go-ethereum Authors +// This file is part of the go-ethereum library. +// +// The go-ethereum library is free software: you can redistribute it and/or modify +// it under the terms of the GNU Lesser General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. +// +// The go-ethereum library is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU Lesser General Public License for more details. +// +// You should have received a copy of the GNU Lesser General Public License +// along with the go-ethereum library. If not, see . + package rpc import ( @@ -8,33 +24,31 @@ import ( ) func TestHTTPErrorResponseWithDelete(t *testing.T) { - httpErrorResponseTest(t, "DELETE", contentType, "", http.StatusMethodNotAllowed) + testHTTPErrorResponse(t, "DELETE", contentType, "", http.StatusMethodNotAllowed) } func TestHTTPErrorResponseWithPut(t *testing.T) { - httpErrorResponseTest(t, "PUT", contentType, "", http.StatusMethodNotAllowed) + testHTTPErrorResponse(t, "PUT", contentType, "", http.StatusMethodNotAllowed) } func TestHTTPErrorResponseWithMaxContentLength(t *testing.T) { body := make([]rune, maxHTTPRequestContentLength+1, maxHTTPRequestContentLength+1) - httpErrorResponseTest(t, + testHTTPErrorResponse(t, "POST", contentType, string(body), http.StatusRequestEntityTooLarge) } func TestHTTPErrorResponseWithEmptyContentType(t *testing.T) { - httpErrorResponseTest(t, "POST", "", "", http.StatusUnsupportedMediaType) + testHTTPErrorResponse(t, "POST", "", "", http.StatusUnsupportedMediaType) } func TestHTTPErrorResponseWithValidRequest(t *testing.T) { - httpErrorResponseTest(t, "POST", contentType, "", 0) + testHTTPErrorResponse(t, "POST", contentType, "", 0) } -func httpErrorResponseTest(t *testing.T, - method, contentType, body string, expectedResponse int) { - +func testHTTPErrorResponse(t *testing.T, method, contentType, body string, expected int) { request := httptest.NewRequest(method, "http://url.com", strings.NewReader(body)) request.Header.Set("content-type", contentType) - if response, _ := httpErrorResponse(request); response != expectedResponse { - t.Fatalf("response code should be %d not %d", expectedResponse, response) + if code, _ := validateRequest(request); code != expected { + t.Fatalf("response code should be %d not %d", expected, code) } } -- cgit v1.2.3 From 3da1bf8ca18f54d9bd2c8c110854dc071ee3898b Mon Sep 17 00:00:00 2001 From: Zach Date: Tue, 12 Dec 2017 18:05:47 +0000 Subject: all: use gometalinter.v2, fix new gosimple issues (#15650) --- rpc/http_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'rpc') diff --git a/rpc/http_test.go b/rpc/http_test.go index 1cb7a7acb..38196b48b 100644 --- a/rpc/http_test.go +++ b/rpc/http_test.go @@ -32,7 +32,7 @@ func TestHTTPErrorResponseWithPut(t *testing.T) { } func TestHTTPErrorResponseWithMaxContentLength(t *testing.T) { - body := make([]rune, maxHTTPRequestContentLength+1, maxHTTPRequestContentLength+1) + body := make([]rune, maxHTTPRequestContentLength+1) testHTTPErrorResponse(t, "POST", contentType, string(body), http.StatusRequestEntityTooLarge) } -- cgit v1.2.3 From f258a21a63347a43a80d7834beb39f276a328ba6 Mon Sep 17 00:00:00 2001 From: Vitaly V Date: Tue, 12 Dec 2017 21:12:32 +0300 Subject: rpc: use method constants instead of literal strings (#15652) --- rpc/http.go | 8 ++++---- rpc/http_test.go | 10 +++++----- 2 files changed, 9 insertions(+), 9 deletions(-) (limited to 'rpc') diff --git a/rpc/http.go b/rpc/http.go index 5941c0677..a26559b12 100644 --- a/rpc/http.go +++ b/rpc/http.go @@ -67,7 +67,7 @@ func (hc *httpConn) Close() error { // DialHTTP creates a new RPC clients that connection to an RPC server over HTTP. func DialHTTP(endpoint string) (*Client, error) { - req, err := http.NewRequest("POST", endpoint, nil) + req, err := http.NewRequest(http.MethodPost, endpoint, nil) if err != nil { return nil, err } @@ -149,7 +149,7 @@ func NewHTTPServer(cors []string, srv *Server) *http.Server { // ServeHTTP serves JSON-RPC requests over HTTP. func (srv *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) { // Permit dumb empty requests for remote health-checks (AWS) - if r.Method == "GET" && r.ContentLength == 0 && r.URL.RawQuery == "" { + if r.Method == http.MethodGet && r.ContentLength == 0 && r.URL.RawQuery == "" { return } if code, err := validateRequest(r); err != nil { @@ -169,7 +169,7 @@ func (srv *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) { // validateRequest returns a non-zero response code and error message if the // request is invalid. func validateRequest(r *http.Request) (int, error) { - if r.Method == "PUT" || r.Method == "DELETE" { + if r.Method == http.MethodPut || r.Method == http.MethodDelete { return http.StatusMethodNotAllowed, errors.New("method not allowed") } if r.ContentLength > maxHTTPRequestContentLength { @@ -192,7 +192,7 @@ func newCorsHandler(srv *Server, allowedOrigins []string) http.Handler { c := cors.New(cors.Options{ AllowedOrigins: allowedOrigins, - AllowedMethods: []string{"POST", "GET"}, + AllowedMethods: []string{http.MethodPost, http.MethodGet}, MaxAge: 600, AllowedHeaders: []string{"*"}, }) diff --git a/rpc/http_test.go b/rpc/http_test.go index 38196b48b..aed84f683 100644 --- a/rpc/http_test.go +++ b/rpc/http_test.go @@ -24,25 +24,25 @@ import ( ) func TestHTTPErrorResponseWithDelete(t *testing.T) { - testHTTPErrorResponse(t, "DELETE", contentType, "", http.StatusMethodNotAllowed) + testHTTPErrorResponse(t, http.MethodDelete, contentType, "", http.StatusMethodNotAllowed) } func TestHTTPErrorResponseWithPut(t *testing.T) { - testHTTPErrorResponse(t, "PUT", contentType, "", http.StatusMethodNotAllowed) + testHTTPErrorResponse(t, http.MethodPut, contentType, "", http.StatusMethodNotAllowed) } func TestHTTPErrorResponseWithMaxContentLength(t *testing.T) { body := make([]rune, maxHTTPRequestContentLength+1) testHTTPErrorResponse(t, - "POST", contentType, string(body), http.StatusRequestEntityTooLarge) + http.MethodPost, contentType, string(body), http.StatusRequestEntityTooLarge) } func TestHTTPErrorResponseWithEmptyContentType(t *testing.T) { - testHTTPErrorResponse(t, "POST", "", "", http.StatusUnsupportedMediaType) + testHTTPErrorResponse(t, http.MethodPost, "", "", http.StatusUnsupportedMediaType) } func TestHTTPErrorResponseWithValidRequest(t *testing.T) { - testHTTPErrorResponse(t, "POST", contentType, "", 0) + testHTTPErrorResponse(t, http.MethodPost, contentType, "", 0) } func testHTTPErrorResponse(t *testing.T, method, contentType, body string, expected int) { -- cgit v1.2.3